2014 was the year that the Internet of Things (IoT) reached the “Peak of Inflated Expectations” on the Gartner Hype Cycle. By 2015, it had only moved a tiny bit, towards the “Trough of Disillusionment”. We’re going to try to push it over the edge.
Depending on whom you ask, the IoT seems to mean that whatever the thing is, it’s got a tiny computer inside with an Internet connection and is sending or receiving data autonomously. Put a computer in your toaster and hook it up to the Internet! Your thermostat? Hook it up to the Internet!? Yoga mat? Internet! Mattress pad? To the Intertubes!
Snark aside, to get you through the phase of inflated expectations and on down into disillusionment, we’re going to use just one word: “security”. (Are you disillusioned yet? We’re personally bummed out anytime anyone says “security”. It’s a lot like saying “taxes” or “dentist’s appointment”, in that it means that we’re going to have to do something unpleasant but necessary. It’s a reality-laden buzzkill.)
In particular, we’re going to focus on the security of the networked autonomous computer that’s inside the thing and how it reacts with the real world that it’s been thrust into. Now, we’ve already got a word for autonomous computers hooked up to the Internet, and that’s “server”. So what the IoT revolution is really doing is putting servers into toasters. Or worse, the IoT is putting servers in your father-in-law’s toaster.
Let’s use two pairs of archetypes: the neckbeard and the father-in-law to represent the extremes of the spectrum of computer security savvy, and the toaster and the server representing different levels of connectedness and corresponding need for network security. You can already see how this is going to play out: the neckbeard belongs with the server and the father-in-law with the toaster. Giving the simple toaster to the neckbeard isn’t so much of a problem, but it gets bad when the father-in-law has to care for the server.
This is the intrinsic problem with IoT. We’re disguising servers as toasters and handing them off to metaphorical fathers-in-law. What’s the worst that could happen? Let’s start by asking the FBI.
The FBI, IoT and Cybercrime
IoT security is starting to become a serious enough issue that the FBI issued an alert on IoT crime “opportunities” in early September. The alert starts off by explaining that adding servers to toasters greatly enlarges the attack surface for “malicious cyber actors” and points out many of the most common IoT security vulnerabilities. They also offer extremely reasonable remedies to close many of the vulnerabilities.
The FBI gives a big mention to Universal Plug and Play (UPnP). The great thing about UPnP is that it enables automatic discovery and remote configuration, so that devices that use UPnP are easily accessible to the other computers within the local network. In particular, for Windows users, this is the magic wand that the “Add Device” wizard relies on to cast his spells.
The worst problem is that UPnP devices often trust whoever is configuring them by default, and this trust can be abused to essentially punch a hole through your firewall. There are many other issues with UPnP, and this report by security firm Rapid7 is an essential read.
So UPnP, on outward-facing devices, is a foothold to compromise the rest of your network. It’s no wonder that the FBI wants you to shut it off. Assuming that you’re able to turn UPnP off, this means configuring all of your new networked IoT devices by hand, without the help of the wonderful wizard. Other suggestions on the FBI list include changing default passwords, keeping up with “current best practices” for home WiFi security, and updating IoT devices with patches “when available”. (“If available” sounds a little bit less naïve.)
Anyway, the FBI’s list is great advice for neckbeards. Our father-in-law hears about applying patches and picks up a needle and thread. This is all over his head, which means the toaster goes unpatched with a faulty UPnP implementation enabled despite the FBI’s best intentions. The criminals come in through the toaster, take over the printer, and then springboard over to our mother-in-law’s yoga mat which spends the rest of its life sending spam e-mail.
Cybercreeps and Baby Cams
We’re sure that you’ve all heard about the couple of cases of people getting their Internet-connected baby monitors and cameras owned by asshats who would then shout at the baby or harass the mother? In at least one case, the problem was that the owners hadn’t changed the monitor’s default password, which can be found with a quick web search. Not changing default passwords is a common father-in-law security threat.
For the record, Foscam, one of the first baby monitor vendors hit, has since done the right thing and gotten rid of the default password entirely. (As have many of the router manufacturers who’d been plagued by default admin passwords over the last decade.) But fixing security flaws across multiple vendors is like playing whack-a-mole: a new problem pops up every time another one gets hammered down. Otherwise, after two years of hot press on the security of baby monitors, you’d expect that Rapid7’s “Ten New Vulnerabilities for Video Baby Monitors” would be a shorter whitepaper.
What can be done? This article from Sophos Security on securing your baby monitor, just as with the FBI’s report, suggests that you lock down your home network, implement security best practices, and choose unique and complex passwords. Again, this is all true but not exactly father-in-law-friendly advice. And what’s patently obvious is that none of the “fixes” are actually directly related to the IoT device itself, but rather good housekeeping tips for neckbeards.
Your Fridge is Leaking (Your Gmail Password)
This summer’s DEF CON also included an IoT Village that had its own mini-track of talks. In one talk, fourteen IoT home automation devices were investigated and they (mostly) got owned. Some of the attacks involved getting into the device on a physical serial console, which we take as less of a concern than remotely-exploitable flaws. On the other hand, digging through the device locally helps one to find issues that may be remotely abused, so local access shouldn’t be disregarded out of hand.
Aside from talks, the DEF CON IoT village also had a Samsung IoT fridge sitting around that anyone was free to start hacking on. Within one day of work, these guys had an exploitable angle on the fridge.
The fridge was brilliant; you wouldn’t ever have to put up reminder notes on the fridge door because the fridge had a built-in display that synced automatically with your Google calendar. Only, the fridge didn’t bother to verify the SSL certificates that it got when calling up the Goog, which means that an eavesdropper could man-in-the-middle your fridge and get your Google credentials. If you don’t think that stealing your Gmail account password is bad news, think about the password-reset procedure at your bank, and how they send you the new password.
And with the fridge, no amount of neckbeardly network good housekeeping would save you. The problem lies in the fridge’s internal mini-server itself, or at least the software that it’s running. Your father-in-law either has to patch the software when the upgrade comes out, or live with the consequences.
What to Do?
If the IoT hides a server inside a toaster and hands it to your father-in-law, what can be done? Leaving the responsibility for securing the device and the home network in his lap is hardly fair because it’s not something he’s good at, and there’s really nothing he can do about flaws in the vendors’ security implementations. We’ll have to look elsewhere.
Creating perfectly secure IoT devices would be a start. Then follow that up with perfectly secure cloud services to connect them to, add in perfectly secure mobile apps to control them, and ensure that all communications between all of these are perfectly secure. Perfect! In theory.
In practice, there are always going to be flaws and patches. The security vulnerability footprint gr0ws as you add more computers of different types to a home network. Here’s a simple solution: don’t put the server into the toaster in the first place, and if you do, make it easy to take the things off the Internet.
That’s not as much of a Luddite position as it might sound. Indeed, this Register article claims that none other than Eugene Kaspersky, founder and CEO of a prominent anti-virus and firewall software company, thinks that’s the way to go. More specifically, he suggests air-gapping networks that have access to the Internet and the baby monitor. That is, maintain two networks in the home that don’t connect at all through any device: one network for your baby monitor and other home IoT appliances, and an entirely separate and unconnected network that connects to the Internet. After all, that’s what more security savvy institutions like the US military do with their systems.
Air-gapping dual networks is a simple enough procedure that even a father-in-law stands a chance of being able to follow, and the only additional cost is a second WiFi router. The toaster can still talk to the fridge, but neither of them can talk to the Internet and its cybercriminals. But if your father-in-law is the kind for whom two independent, air-gapped home networks sounds like too much, or if he really, really needs Internet connectivity for his toaster, you’ve got one last hope.
Shut it Off
IoT devices need a physical Internet-off switch with local control overrides. Part of the promise of the Internet of Things is that the physicality of things meets the ethereality of the Internet, so why is it that the security configurations of all of these things are on web pages? They need a button! When the Internet-connected baby cam starts shouting obscenities at Junior, a single button press kills the monitor’s connection to the outside world. Or for the privacy-conscious, a small switch on the side of the Nest could turn off all information-sharing with Google.
If we’re going to embody the Internet in our appliances, they should have physical analogs to the kind of security controls that they should also have online, and starting with the crudest on-off switch is as good a place as any. To quote from the FBI’s report: “Consumers should be aware of the capabilities of the device and appliances installed in their homes and businesses”. Nothing says “aware of capabilities” like a physical switch that lets you turn that capability on and off. Otherwise, our father-in-law is fooled into thinking that the internal server isn’t there, and that the toaster is just a toaster.
(We got the inspiration for this radical solution from this talk on IoT and our surveillance society that goes much further in the direction of protection of personal privacy than device security. It’s a good read, and some of [Maciej Cegłowski]’s six fixes may also be relevant for security, but the Internet-off switch is the most obvious.)
Have we gone too far? Or not far enough? Are you disillusioned about the coming ubiquity of IoT devices yet? Any other ideas about making the control of security parameters of the server inside the toaster more father-in-law-friendly?