I recently received an IoT device for review. The product in question was a very simple device meant to control lighting. What should have been a no-brainer, turned out to be an exercise in frustration, when the associated app had zero concern for usability and refused to function beyond the wireless network (thereby drastically reducing the functionality of the device). This experience immediately had me considering the nature of security with IoT devices. It took me very little time to draw the conclusion that most IoT developers and manufacturers need to go back to the drawing board.
Although the answer (and the solution) to that is quite simple, the likelihood of the solution being implemented isn’t. Let me explain.
Most developers of IoT devices are doing one thing very, very wrong; this thing they are doing happens to be the cause of the rising malware attacks against the devices they are producing. What it is they are doing wrong is using out of date kernels for their devices. We’re talking unsupported legacy Linux kernels. Couple this with the fact that many IoT devices aren’t even equipped for kernel updating (thanks to a lack of temporary swap space that would enable such a thing) and ship with default usernames and passwords (which cannot be changed) and you have the makings for a convenient platform ready for malicious attacks.
What this means is that those devices need to be placed behind well protected networks that block access from the outside world. That is not a solution to this ever-growing problem.
Back to the lighting controller
This brings me back to the lighting controller I was asked to test and help improve. While attempting to get it to work, I wondered what was going on in the software stack of the platform and why did the developers make it such that it wasn’t usable beyond the wireless network for which it was attached. Was this by design? If so, was it done so in the name of security? Consider this: If I were able to use the associated app (for the lighting controller) outside of my LAN, wouldn’t that also mean that anyone (with the right skills) could possibly gain access to the device and, in turn, gain access to the other devices on my LAN?
Shortly after receiving that piece of hardware, I was sent a Bluetooth-enabled deadbolt that could be installed in a door and then opened with either a passcode or from within the associated mobile app. This particular device does not attach itself to the LAN, so there is no chance of anyone hacking their way into a network, by way of the deadbolt. However, we are talking Bluetooth, a technology that can be hacked (bluesnarfing anyone?). Any ne’er do well with the required skills could gain access to the device and, in turn, my home.
This is where IoT gets a bit ominous. The very nature of IoT devices promises a convenience unlike anything we have ever experienced. That word, convenience, comes with quite a bit of baggage. End users want an experience that doesn’t require much setup on their end. They don’t want to have to deal with updating such devices, or creating administrator passwords. Instead, they want to take the device out of the box, plug it in, and have it work. Manufacturers know this and plan accordingly. To that end, every IoT is made vulnerable and that, my friends, rests squarely on the shoulders of the manufacturers.
What can they do?
You might be surprised at my solution for this. One corner many manufacturers cut is in the operating system. Because the Linux kernel is well-versed for such devices, it makes perfect sense to use it. Not only does it work well, it’s cost effective.
But is it, really?
Let’s say that an IoT device does ship with an updated version of the embedded Linux kernel. Although upon first release, that kernel may be secure, given the rate at which malware attacks are rising, it will very shortly be vulnerable. When was the last time your IoT device updated its firmware? The only IoT device I own that regularly (and automatically) updates is Amazon Echo. The frequency of the updates has yet to be determined, but I’ve noticed a few instances when weekly updates were applied. These updates apply new features as well as patch security vulnerabilities. Amazon gets it. Another (un)stellar example of this is my current modem. The installed firmware on this particular device was released in September, 2016 and has yet to be updated. A number of vulnerabilities have been discovered since 9/2016. This is not acceptable. Most IoT devices do not update with nearly the regularity as does Echo. What’s really surprising (to me) about this is that the devices do not alert the user they have been updated.
What should be happening is that users are sent an email to alert them of the update and what changes were made to the firmware. They may not understand 90% of what is said, but they can at least get confirmation that the updates are happening; otherwise they are left in the dark and have no idea if their devices offer a modicum of security, through updated firmware. If said user hasn’t received an update email in a while, they might get curious and contact the company to question the inaction.
Empower the devices for better and more frequent updates and empower the owners with information.
So yes, the immediate solution to the current IoT problem is updates–frequent and informed updates. These devices should also be publishing security bulletins, such as those released by Google (for Android) and Apple (for iOS). Every single IoT device manufacturer should be publishing similar updates for their devices without fail.
IoT at a crossroad
The world of IoT is at a serious crossroad. As more and more devices are deployed and more attacks occur, the manufacturers must place a significant priority on security. To assume an insecure device is safe behind a secured network is a massive false positive OEMs depend upon.
Yes, manufacturers and developers, this is on you. It is time you went back to the drawing board and retool your devices and software with a keen eye on security. Until then, IoT is going to continue to be hammered by malicious attacks that will further sully your reputation.