The internet of things isn’t trying to kill you
This weekend it felt like the entire world woke up to the issue of IoT security. Ironically it wasn’t the hacked door locks or threats of a light bulb being taken over that sparked massive conversation and coverage. Instead it was someone using an army of connected devices to attack Dyn, one of the companies that provides the address book for the internet.
The result was that Twitter, Amazon, Reddit and Spotify all struggled with intermittent access. But these attacks require perspective more than panic.
Want to know if your devices are compromised and what to do if they are? I wrote about it here.
There are two issues here. The first is that we have a pretty binary concept of security where something is either secure or it isn’t. That idea doesn’t actually allow for the complexity of the types of attacks that can exist online and with connected devices. In this attack, the issue was powerful computing devices that connected directly out to the internet, with hard-coded passwords or unchanged default passwords.
Hackers using source code available on the internet started scanning for these devices and took control of them easily because the passwords were easily accessible. It was easy to take them over and automate a process by which these compromised machines sought out more compromised machines. These distributed denial of service attacks used connected devices as the “battering rams” to beat at Dyn’s servers.
But this leads directly to the second issue. While news stories blame this on the internet of things, your light bulbs or refrigerators are unlikely co-conspirators in a botnet. In part that’s because many home connected sensors and other devices work through a hub. They don’t connect directly out to the internet, opening a port that hackers can exploit.
The other reason is they don’t have the raw computing power necessary to do much damage in a denial of service attack.
Security researcher Brian Krebs has discovered that the most common devices used in the attacks were IP cameras, routers and networked DVRs. There were also some printers thrown in there. This hardly is a representative sample of the internet of things. It feels like a minor quibble, but if we’re trying to talk about securing the internet of things we have to understand what we’re defending against (in this case, DDoS attacks) and what the culprits are (powerful computers with a direct connection to the internet).
Andy Ellis, the chief security officer at Akamai, suggests that hubs might be the best way to prevent all of your devices from talking directly to the internet while still ensuring offline functionality. This is of course, after doing away with hard-coded passwords that the current generation of botnet software is targeting.
Nathan Smith, the CTO at Wink, a smart home hub, echoed that opinion.
“These cameras and routers are getting taken over because they are accessible through ports instead of going through a cloud and getting access to your data,” Smith said. “You are basically opening a window to the home network over a port, so the architecture at the most basic level is what is at fault here.”
But hubs aren’t the only security precaution. I asked several of the companies with popular brands in the connected home about their security procedures. For example companies like Nest, SmartThings, WeMo and Wink all monitor devices in the field and were confident they would notice if many of their products were going offline or changed behavior in a way that indicated a botnet attack.
All of these companies plus Philips Hue, Chamberlain (which makes the MyQ garage door sensor) and August also can offer over the air updates that would push security updates to devices that could fix a problem. None of these devices come with hard-coded passwords or even default passwords. Part of the act of setting up any of these devices on a network involves creating an account with a new password.
I didn’t hear back from August, the maker of both a connected door lock (which communicates by Bluetooth so would not be useful in a DDoS attack) and a video doorbell, but it did experience service issues as a result of Friday’s attack, so presumably preventing its devices being used in a bonnet are top of mind. It does force users to change their password.
Ecobee, the maker of a connected thermostat declined to comment, and Netgear did not respond.
But preventing a device from becoming part of a botnet is only part of the security battle IoT device makers face. They have to encrypt data as it travels over the internet (and ideally as it travels within the home). They should encrypt that same data in the cloud and ensure that user credentials are stored in securely. Even today we’re still reading about user names and passwords being stored in plain text on unsecured databases.
Device makers also need to think about the data they collect. Several CEOs tell me they don’t store a users’ Wi-Fi password because they don’t want the liability. All stored data can become a treasure trove for a determined hacker, so it is worth thinking about the data your devices or service really needs.
Companies should also conduct regular penetration tests to see if their products can be hacked. Brian Knopf, director of IoT Security Research at Neustar and former head of security at Wink and at Belkin/WeMo, says that consumers should look for devices that have a security section on their web site and a bug bounty program. “That shows they are thinking about security,” he says.
After this weekend every connected device company and consumer should be.
Did you like this story? Want more? Sign up for Stacey Knows Things, a newsletter covering the internet of things, to get this essay and more.