Recently a client wanted to introduce a new type of presentation gateway. These devices provide a means of making audio-video presentations via Wi-Fi. The user logs in to a website provided by the presentation gateway instead of plugging in a video cable. It would solve the problem of having to provide all kinds of different cables to connect laptops and tablets. A quick search on the internet revealed a set of vulnerabilities complete with exploits.
The internet of things or the internet of everything?
People are increasingly relying on IoT-devices, without realizing that these gadgets can cause consumers to be extremely vulnerable to security breaches. In 2012 Mattijs van Ommeren, Principal Security Consultant at Nixu, illustrated that many vulnerabilities could be demonstrated in Network Attached Storage devices (NAS). For example, it was child's play to retrieve passwords or even change them, gain unauthorized access to the files on the disk, or take over the entire operating system. And although we are seven years on, things have not improved much.
Van Ommeren explains that it doesn't really matter what kind of IoT-device you choose, primarily because from a technical perspective, all IoT-devices are quite similar. Whether it is a security camera, baby monitor, or smart watch. By default, the devices attempt to aggressively establish a connection with the cloud. Via this connection to the internet, security cameras are easy to use remotely. The downside of this is that this connection potentially opens the door to the user’s home network for other devices, which in the best case is, for the supply chain, and in the worst case, for the whole world.
A number of parties are involved in the development of electronics. A device is often developed and produced by a different party than the supplier mentioned on the label. The production culture is one of disposable nature in which the cost price and the price for the consumer are kept as low as possible. As a consequence, the production chain is fragile and suppliers are interchangeable.
Things often go wrong during the development phase. The Norwegian consumer association has conducted research on this topic via the company Mnemomic, which has examined "smart" watches for children. Results showed that the watches all have multiple vulnerabilities. For example, a malicious person can quite easily find out the exact location of a child of even establish a conversation with the child via the device. This is a good illustration of what the entire IoT-landscape looks like. It is the result of a service sector that supplies IoT-equipment: everything must be as cheap and fast as possible. The time-to-market and price competition result into a poor climate for security in general.
Luckily, there are possibilities to make IoT-devices safer. Why is it that there is no effort put into establishing this? Is it because customers are not demanding it? Or is it simply ignorance? With regard to suppliers, for example, it is common practice to conduct thorough product selection research into raw materials and suppliers, for example by looking at ISO, RoH, CE and other standards. However, for safety in the digital domain standards have yet to be established. It is therefore important that you, as an IoT-supplier, set security requirements for suppliers and SLA agreements for solving security problems. Implement a Coordinated Vulnerability Disclosure policy so that when researchers find a vulnerability, they can land it correctly. In addition, have security tests carried out periodically to monitor the chain.
In short, an IoT-device is a small computer that potentially opens your home network to the entire world. IoT-suppliers are not software engineers nor are they security experts and such devices have a very limited lifespan. The verdict is out as to whether this is really what the consumer values.
Mattijs van Ommeren is Principal Security Consultant at Nixu. He has spent most of his career as an information security consultant, both on the offensive as well as the defensive side. Mattijs has a special interest in process automation and industrial systems. Over the years he has discovered numerous vulnerabilities in RTUs, process controllers, industrial firewalls and other equipment. Industrial sensor networks currently have most of his focus, as this is still mainly unexplored terrain.