They’re on the rage right now, smart devices that we typically refer to as the internet of things. Everything and anything can now be a smart device including, appliances, homes, medical devices, manufacturing, and even fish tanks. They provide convenience in our lives but now come at a security price. Each and every device in your home is a security vulnerability. It is reasonable to assume that each device was developed to protect your data, however this is not the case. Often these smart devices which become part of the internet of things (IoT) are developed with the minimum necessary to function, with security a mere afterthought.
IoT Products and Lack of Security
Businesses often would like to be the first to market with an invention, so there is a surge of interest when a sleek product is presented to investors. The business model with IoT products often revolve around continued streams of income after a product has been sold to the customer. This often looks like a subscription for data, parts or accessories. Businesses and investors are excited by these products and neither one considers the security of their customers or the general public when pushing these products on to the market. The burden for security in IoT products is on manufacturers, network carriers, and enterprise clients. With three actors involved, streamlined security can be harder to implement than you think.
Common Security Flaws in IoT Products
For the last two years the IoT Village has been held at DEF CON where the event invites hackers to break into IoT business and consumer products. The first year revealed 113 critical vulnerabilities that were accessed with relative ease. The second year an additional 47 vulnerabilities were identified. It can be expected that this year little to no progress has been made on security in IoT. Often hackers use IoT products to gain access to the networks the products live in.
Poor Design Decisions
Some of the vulnerabilities identified could be categorized as simply really terrible design decisions. These included the use of hard-coded passwords. Hard-coded passcodes present an issue because the source code often ships with the product. Any hacker would know how to disassemble the firmware in order to access the passwords. These are often in a product for a streamlined development process but are left in the product during final production. This happens across many devices and in some cases could give complete control to a remote hacker to the whole network.
Among IoT products hackers continue to find coding that allows for command injections. In these cases content is dynamically generated on an interface. Skilled hackers can intercept these command injections and have an IoT device execute malicious code. Code injection allows for one of the widest ranges of attacks on a network.
Often IoT manufacturers ship products with a default password for users to initially access the products software capabilities and connect it to the network. This sounds fine on the surface but after the initial setup, no one really ever changes that password. Malware that use botnets to take control of devices often take advantage of this human error to control any smart devices on a network. Manufacturers do not attempt to make it mandatory to change the password before use.
So far security is still not a priority for IoT manufacturers at any point along the product development process. Some of this can be attributed to lack of knowledge, but much of it is pressure to get to market. It is of concern that at the DEF CON event the number of vulnerabilities increased without any improvement. There has been attempts by governments to develop IoT cyber security regulation. However cyber security experts have claimed that the approach is not good enough. Given the lack of speed at which the industry is moving in regards to security, it seems regulation is the only thing that will move it forward.
The IoT industry is very young and is vulnerable in a hostile cyber world. There needs to be a coordinated effort between manufacturers, network carriers, and enterprise clients. This article had an emphasis on manufacturers and their need to practice security by design. Do you think that the IoT industry will make any progress on cyber security by the end of next year?