IoT Security Challenges and Concerns
In October of 2016, the largest denial-of-service cyber attack in history against Domain Name System (DNS) provider Dyn disrupted popular Internet services—including Netflix, Twitter, and Amazon—for millions of Americans and Europeans. Subsequent investigations would determine that the attack was a botnet coordinated through a large number of Internet of Things-enabled (IoT) devices, including cameras, residential gateways, and baby monitors, that had been infected with Mirai malware.
Worrisome events such as these have led security experts to conclude that the Internet of Things poses a fundamental threat to the security and safety of the Web. This article seeks to answer some of the questions surrounding the IoT, such as where do we stand right now, what are the fundamental problems with IoT, and finally, what type of security countermeasures can we expect to see as a response.
One quality of IoT devices that presents the potential for trouble is that they are always listening. For instance, if you have an Amazon Echo or Echo Dot in your home, uttering the word "Alexa" brings the device to life so it can respond to your requests and commands. Besides presenting an open invitation to malicious parties, all that listening could perhaps infringe on personal privacy or be used against you by law enforcement. Luckily, there are ways to stop your IoT devices from listening. In the case of Echo or Echo Dot, you can push the microphone button on top to turn the microphone off. Doing so will illuminate both the ring and the button in bright red to let you know it is not listening. Moreover, Amazon also lets you review and delete things you've said to Alexa. Although such features provide the user with control over his or her privacy, with more and more such devices infiltrating our lives, there is a significant burden being placed on individuals.
Even as the potential for security breaches increases with every new IoT device, manufacturers' incentive to rush products to market without thinking through the privacy and security implications has not changed with the times. The result can be equally bad for consumers and businesses alike; customers who buy these devices in good faith, only to wind up victims of a breach, often wind up filing a lawsuit against the manufacturer. In turn, the plaintiff's own (recorded) words may be used against them by the offending company in the courts!
A Silver Lining?
Hackers are not the only parties interested in IoT recordings. Arkansas police recently succeeded in obtaining details of a murder suspect from Amazon, based on a recording from Echo. Might it provide some solace to people knowing that someday their voice-activated IoT services may help solve their own murders one day? Not likely.
Poor or Non-existing Security Features
Voice-activated devices are certainly not the only weak link in the IoT chain. Many IoT devices suffer from weak security, opening up a lucrative avenue for hackers. One particular type of attack of late has been ransomware. That's a type of malware that installs covertly on a victim's device and then either encrypts the victim's data or transfers it to the hacker's server. The user then has to pay the hacker to either decrypt the data or refrain from leaking sensitive information to the public. In 2016, more businesses than every before fell prey to ransomware-wielding criminals, choosing to pay off their attackers in seventy percent of cases.
Security Experts Unite
Not surprising, the Dyn cyberattack was a massive wakeup call to security experts worldwide. Earlier this year, a panel of experts gathered at the annual RSA Conference in San Francisco to discuss potential IoT threats. Topics raised by the panel led one cryptography expert to draft a paper that showed how a single smart light bulb could infect a smart city with malware in minutes.
There was also a general consensus among the panelists that machine learning is more likely to hamper security rather than bolster it. The problem, according to one expert, is that finding "new zero day [attacks] requires ingenuity," something that is not the strong suit for machine learning. It's far more "useful in comparing behaviors and finding deviations and warning about them," he explained.
All-in-all, recent events like the Russian hacking related to the U.S. presidential election has only confirmed experts' belief that the fight against cyber threats is far from won.
What Developers Can Do
So the question is: What can be done to prevent Internet of Things devices from being compromised by malware, and what steps can be taken to help ensure that devices connected to a network are secure? Here are some best practices to help improve IoT device security:
- Force the Setting of Strong Passwords: If your device uses a password, include coding that forces a highly secure password along with efforts to change it regularly. The reason should be apparent; an attacker can easily employ a tool to scan the Internet and look for open ports—especially ports 22 and 80—and try a brute force login using common credentials. To prevent this, always include some robust password management functionality.
- Include Checksums: Be sure to include checksums and other measures in your device that will allow for it to check if something has been installed or has changed the programming in an unexpected way. Also, include the ability for the user to reset and/or update firmware if needed.
- Disable Universal Plug n' Play: Many IoT devices have Universal Plug n' Play (UPnP), which automatically opens virtual ports. These make the device discoverable on the Internet and, thus, vulnerable to malware infection. Also, disable any and all code not needed by the device (for example, "dead code").
- Provide Timely Device Updates: To keep devices secure, make sure updates and device patches are pushed to IoT devices in a timely fashion so that they are always current and running the latest (and most secure) code.
We are living in fascinating times. Whereas the nineties and early 2000s saw people becoming more connected via the Internet, now, advances in AI and processing power are ushering in a new era of inter-connected devices. The risk posed by these rapid advancements is that we have never faced a greater danger of large-scale theft, disruption, and even catastrophe. Even though the politicians lag behind in trying to enact policies and laws to deal with emerging cyber threats, the burden of protecting our data falls squarely on our shoulders, whether we produce or utilize IoT devices.
Rob Gravelle resides in Ottawa, Canada, and has built Web applications for numerous businesses and government agencies.
Rob's alter-ego, "Blackjacques," is an accomplished guitar player who has released several CDs. His band, Ivory Knight, was rated as one of Canada's top hard rock and metal groups by Brave Words magazine (issue #92) and reached the #1 spot in the National Heavy Metal charts on ReverbNation.com.