The IoT Security Revolution

Welcome to part three of our series on IoT security! Click here for part one, or here for part two.

Zoe wakes up at 7AM sharp to the soothing voice of her Alexa, which controls a smart light switch in her room. The lights slowly come on and illuminate the room as Alexa outlines the weather for the day. Zoe climbs out of bed, wishing it was Friday despite it being Monday. Her smart mattress detects a change in weight and triggers the coffee pot in the kitchen to start brewing.

Meanwhile, Zoe’s smart thermostat automatically adjusts the temperature for daytime comfort, since Zoe prefers a cooler temperature while she’s sleeping. It’s the perfect start to another perfect day. Through this lens, the Internet of Things is an amazing idea that makes our lives easier than ever. Once you pull back the curtain, however, it becomes all too easy to see how holes in security are allowing malicious hackers to harass users and steal personal information.

Facing The Problem

Unfortunately, there’s no single solution that fixes the problem, but there are plenty of places to start. While individuals can educate themselves, it’s also paramount that business owners and manufacturers take their own steps to spearhead the revolution that IoT security so desperately needs.

Let’s assume that Zoe, once a marketing executive, is now a business owner herself. Even if her company doesn’t manufacture or sell IoT products, it’s very likely that she uses them. Without proper understanding on how to secure them, she’s leaving your business open to numerous threats:

• Each connected device represents an endpoint or doorway into the greater network
• Critical systems like heat or cooling could be hacked and modified without her knowledge, leading to uncomfortable or even dangerous working conditions
• The devices could be part of a larger botnet that potentially threatens the livelihood of her website or servers by posing a potential DDoS (distributed denial-of-service) attack risk
• Potential breaches of customer data could cause catastrophic damage to her brand and the trust of their customers

In particular, the ever-looming threat of botnets is a topic that all business owners should be aware of, as anyone could be susceptible to this type of attack.

Are Botnets the True Threat?

Major IoT hacks or DDoS attacks typically involve botnets, which is a term that those seeking security should be familiar with. While a traditional botnet only encompasses computers infected with malware, an IoT botnet could be anything from cameras to routers, to appliances, and even wearables.

Once injected with Malware, these devices are used to infect others until the infected network spans numerous devices, sometimes in the hundreds of thousands. Since many IoT devices are Linux-based, the malware used to infect them targets executable and linkable format (ELF) binaries, which are common in their firmware.

By targeting network protocols like SSH or Telnet, exploiting logins, or simply brute-forcing the hack, the malware is delivered to the device and connects it to the larger network. Now that an attacker has all of these devices at their disposal, the real attack begins.

As we’ve seen in the past, these botnets are capable of issuing DDoS attacks at major infrastructures that knock them out for extended periods of time. They do this by leveraging the compromised devices to assault websites or networks with so much traffic and data that they simply collapse under the weight of the attack.

Whether that’s online services or elements of a smart city, it’s not hard to imagine the impact. IoT devices in particular make easy targets because of their low-security standards and poor software maintenance.

While larger entities scramble to try and protect themselves from this threat, we as individuals can do our part to protect and educate ourselves in the meantime.

Start Here: 7 Ways to Strengthen Your Security Today

Zoe is not powerless to fight back against this threat, and neither are you. Here are seven ways you can strengthen the security for your business right now:

• Start by taking stock of the connected devices in your organization. Doing so manually could be too time-consuming, so instead look for ways to discover, track, and manage your IoT devices.
• If you own a website or IoT server of your own, secure salting of password hashes in the database will protect passwords from attacks using rainbow tables and similar attacks on hashes.
• Owners of IoT servers should also take care not to give away too much information. One example are files linking directly to the server instead of hiding their location. Let your web directory do its job and hide this information using your server’s configuration system.
• Cross-site scripting (XSS) attacks are quite common. This type of attack injects JavaScript code into a user’s browser for the purpose of stealing data or credentials. The user themselves still sees the website as normal, so they have no way of knowing the web page is not legitimate. If you host web services with submission forms for IoT devices, make sure you educate yourself on how to defend against XSS attacks.
• Change the default password on your devices immediately, and make sure they are always up-to-date when it comes to firmware and security updates.
• Educate yourself and your employees about proper security practices. There are free online courses available as well that offer a jumpstart to your cybersecurity.
• Arrange for penetration testing, where a white hat hacker attempts to break into your servers or IoT products and reveals potential holes in your current security.

This is a good start, but to really address the problem, we need to go to the source.

It’s Time For a Fundamental Change in IoT Security Standards

It’s easy to blame people and say that their lack of knowledge or motivation causes these problems, but the truth is that the creators of these devices are also to blame. Security begins at the source, and without any kind of standards, IoT devices are rolling off the assembly line with massive gaps in their security.

Consider this observation from Olaf Kolkman, chief internet officer at the Internet Society, a non-profit striving for a safer and more secure internet:

“Companies that were in traditional production of lightbulbs, toothbrushes, toasters, you name it, have suddenly become software companies, but they don’t have the years of expertise that, say, Apple or Google has.”

While manufacturers have always held themselves to safety standards in their products, the addition of software and a connected world isn’t part of that protocol. This also extends to the industrial tool they use to manufacture their products. Even these connected devices could be compromised, which would be dangerous for those working on the factory floor.

The simplest solution would be to implement a set of standards that manufacturers are required to follow. The Department for Culture, Media, and Sport at the National Cyber Security Centre has already submitted a set of rules for IoT product makers.

These include the removal of default usernames and passwords, a vulnerability disclosure policy, and simpler ways to install and maintain device security through firmware updates. Other topics also include securely storing customer data and giving users the ability to delete their personal information without hassle.

The legislation is also a potential solution, something that could implement strong guidelines, but even this is a slow-moving solution. Most manufacturers of IoT devices treat their products like appliances instead of software, which is a terrible approach.

With IoT hacks like compromised baby monitors going public, governments are finally waking up to the threat that many of us choose to ignore. The Australian government, for example, started talking about regulations in October of 2017.

Meanwhile, in the United States, California introduced a bill in 2017 that that would require a minimum level of security in IoT devices. Back in the present, how are things progressing? The answer is slowly.

According to a survey announced at CES 2019 by BlackBerry, 80 percent of consumers still don’t trust the Internet of Things. The survey also revealed that people are willing to pay more (up to 20 percent) for secured devices.

This was used to announce three IoT security products that BlackBerry will be marketing to manufacturers to provide additional security in their products. It’s a move in the right direction, but the problem remains.

In the meantime, business owners and those working in the IoT industry should take steps within their own organization to exact the kind of change we all need. Ultimately, the success of the IoT security movement, much like the devices in a botnet, comes down to the combined power of individuals working towards a common and necessary goal.