Wednesday, April 1, 2015

IoT Security Fail

So I am not a huge fan of the whole Internet of Things movement that is going on right now, mostly due to the recent lack of any real security or thought of security being placed into these IoT devices. A more accurate name for the IoT would be the Internet of Insecure Things (IoIT). Recent (or not so recent) news of consumer home wireless access points and routers being compromised and used for various botnets are one example of this concern, and this is just one small example. Home routers, thermostats, IP cameras, VOIP phones, DVRs, smart TVs, etc, all things that can contain embedded firmware of now outdated or obsolete libraries that are exploitable. And if they are not exploitable, great, there is probably just some hard coded admin user and password in the device or another debugging backdoor that was forgotten to be disabled.

'Junk Hacking' is a term I like that is used to describe people finding exploits in these devices, it seems every week there is some new little embedded device that has a vulnerability. Stop. When these stories break, everyone always seems to be surprised that there is a backdoor or other exploit on IoT device N. Really?! Of course there was a vulnerability on it! I would have only been surprised if there wasn't! I go by the opinion that every device is vulnerable. Proving me correct is not difficult, proving me wrong on the other hand would actually be impressive.

Now sure, most of these devices (with exception to the router itself) will live on a home private network and all have private ip's assigned by the routers DHCP server, so risk to them should be very minimal even if they are vulnerable in some way or another, although wireless devices are an exception. Some vulnerabilities require physical access to the device as well, which imo is not really a vulnerability (anyone can re-flash devices if it's physically in your hands ). That said, it is amazing how many of these devices end up being publicly accessible on the internet, either on public ips themselves or port forwarded to private ips. Not excluding commercial and industrial devices as well, they are also exposed everywhere. Everything is just hanging out waiting to be poked at. Having convenience over security seems to be the norm.

Favoring backwards compatibility is another issue that needs to be overcome. 'Well, it needs to work on IE6!' No, actually it doesn't, and it definitely shouldn't. This mentality needs to go away. Software goes obsolete for a reason, and that is because it's usually broken. This rule needs to be enforced by all.

The wireless side of things is the same story. Wireless ISM band mesh devices are the new hotness with everything communicating over ZigBee, Z-Wave, or other protocols. You don't need to look hard or far to find known vulnerabilities in these protocols or tools to sniff these networks. While sure, newer devices will have updated firmware with possibly better encryption and security, what about all of the existing devices in the wild?

While manufacturer of devices intentions may be good to keep devices secure and up to date, the real result of these devices is that none of them actually are. The OpenSSL vulnerabilities that occurred last year and recently are an example of these concerns. How many of these devices are still running an old version of OpenSSL? Probably most, unless of course you have updated your firmware, which I know usually never actually happens. This is assuming new firmware is even available.

This issue of updating these home devices to keep them up to date ends up being your (the consumers) responsibility. Manufactures are more than capable of having their devices auto update when new firmware comes available, but the risk and cost would be too high in doing so. The day that the device auto updates and becomes a brick because of a mistake is just too high, especially if it happens to thousands of devices. Manufacturers could of course design in fail-safes to prevent this, things like dual flash memories for running and updated configs allowing a rollback option, but this would of course increase costs. Plus manufactures don't want to have to support their own devices, that is just additional cost.

So the result is it is your responsibility as the consumer to make sure your device stays up to date. I'm not okay with this, but you have no choice. The alternative is to not use the device, if it isn't on, it is not vulnerable. The real issue falls onto the larger portion of the population that doesn't really know or understand, or care to know or understand security, networking, or recent CVE listed identifiers that come out, not to mention understand the actual details of the vulnerability. It is this group of the population that results in everything being at risk, but I don't believe they should be held responsible. Maybe manufacturers should be responsible for the security and patching of their own devices. Maybe they should not be designed so insecure in the first place.

So what is the solution? Should manufacturers be more security minded and allow automatic updates to all IoT based devices? Sure, that would be a good start. Putting any actual thought and time into security in the first place would be another great idea. Having anyone who actually knows anything about security audit your product before production would probably catch a lot of the really stupid mistakes. Another thought would be to not make every device IoT enabled if it doesn't half to be in the first place. Just because something could be internet enabled doesn't mean it should be. I'm pretty sure I have been hearing news of internet enabled refrigerators for over 10 years now, even seen one or two in some stores. Everyone thinks its neat and cool and somehow it will be useful as it solves a problem that doesn't exist. I just know it will be end up being another vulnerable device.