We know that IoTs are really critical for IT Security, and recently researchers at Check Point (see here, here and here for more details) have shown how to take over a WiFi network by exploiting remotely a vulnerability in some light-bulbs.
Since many years we are quite used to the fact that products, of any kind, contain digital and electronic components. The process of manufacturing products and integrating digital and/or electronic components is by now quite well established and robust. The most important requirements to the digital / electronic components is that they perform their tasks correctly, effortlessly and that they are reliable. Security is mostly perceived as safety for example from electric shock or from the behaviour of the product induced by the digital / electronic components. It is not important that the digital component has features which are not used by the product, or that it has been designed for other purposes as far as it performs correctly as a component of the product.
But the scenario changes dramatically if the digital component is connected to a network, in particular Internet. In this case the product becomes part of the “Internet of Things” (IoTs). Then the security perspective changes completely. For example, those unused features of the digital component, if not correctly configured and managed, can be abused and become a serious security threat. What bad can be done with a washing machine connected to Internet? Difficult to say, but if out of imagination one can always try to join the washing machine to a botnet for distributed denial of service (DDoS) attacks.
So the manufacturer should also take care of the full IT security of any digital / electronic component embedded in its products. This means that even unused features must be configured, managed and updated.
But this is not all. The interaction between components in a product can create new type of security threats, which can be considered like side-channel threats and attacks. The abuse and misuse of digital components can be quite inventive, for example recently in the news I have noticed the following:
- how to use a scanner to communicate through a laser mounted on a drone with a malware on a PC (see eg. this article)
- how a smartphone or laptop’s ambient light sensor can be used to steal the browsing history from the device (see eg. this article)
- how to install malware on a Smart TVs using the DVB terrestrial radio signals (see eg. this article)
and others concerning light-bulbs, surveillance cameras etc.
Typically in IT security one has first to describe clearly what are the threat scenarios and based on these to evaluate the risks and the security measures needed to mitigate these risks. In the case of IoTs it seems very difficult to imagine all possible threat scenarios due to the interaction between embedded digital Internet-connected components and the other product’s components.
Even more difficult is to imagine how, in the current markets, manufacturers of products like lightbulbs, refrigerators, television sets and more or less anything else one can imagine, can devote time and money to the security of embedded digital components produced by someone else, which should just work, cost as little as possible and not be maintained.
PS. Products like cars, airplanes etc. in regulated sectors, should constitute a welcome exception to this, thanks to the very stringent safety concerns and rules that apply to them.
PPS. Also of interest is this, just appeared, Microsoft whitepaper on Cybersecurity Policy for IoTs.
It just became public that a custom built Linux kernel for embedded devices has been shipped and installed in production with a root debug backdoor open to anyone, see here for the announcement and for example here for some more details.
Besides the gravity of this particular incident and the difficulty of remediating it (I expect that many devices shipped with this kernel will never be updated) a couple of considerations come to my mind:
- first of all the need for IT Security Awareness and Education starting from everybody working in IT : anybody can make a mistake or even a blunder, but there should be safety nets proportional to the risks and IT professional should always be aware of the “security” consequences of what they do;
- the process of “bringing into production” IT products (aka Change Management) should be improved: as of today most of the time the really important test of an IT product is the final User Acceptance Test, which means that it is only important that the features requested by the final users work as expected. But this is not enough, and it is not like this in many other industries, think for example of televisions, refrigerators, cars etc. they all need to pass safety tests and be labelled accordingly otherwise they cannot be sold on the market. Why is it not like this also for IT products? As of today it is difficult to think of security standards, tests and labels common to all IT products, but it should be possible to agree on and adopt some common IT security baseline.
The National Telecommunications and Information Administration (NTIA) of the US Department of Commerce’s Internet Policy Task Force, has announced a Request for Comment on the key issues regarding the deployment of Internet of Things.
This is one of the first steps towards creating some policies and / or regulations on IoT devices, and can be a very good occasion for stating clearly some security baselines.
GSMA just announced the availability of the “GSMA IoT Security Guidelines”. Potentially this could have quite a good impact on the security of IoTs. Even if GSMA speaks only for the mobile telecommunications industry, its importance in today communications market is undeniable. The idea behind it should be that companies and providers who plan to connect new IoT devices to the network, will follow these Security Guidelines to provide some level of security to the device communications, at least.
Let’s hope that this will be a first real step towards the IT security of IoTs, but first we need to read and understand these guidelines and then, in case, see if they are implemented and if their implementation will provide the expected benefits.
The article ‘“Internet of Things” security is hilariously broken and getting worse’ of ARS Technica shows how, using Shodan , one can find pictures from millions of open Webcams on internet.
The issue is not new but the scale of the problem is threatening. As the article nicely points out:
- people do not care about the security or privacy features of the devices they buy
- the important points are cost and easiness to manage (which means it is better if there are no password to access it)
- only to throw away the device the day they find themselves on Shodan or in a picture on a newspaper and say “never again”.
But who is going to do something about it? Who should defend the privacy of people and the security of Internet? Should the IoT market be regulated or self-regulated or something in between?
Among IT practitioners there are a lot of ideas and discussions on the “Internet of Things” (IoT) and the security risks associated to them.
If IoT has many positive and useful future developments, the security aspects are very difficult to manage to the point of posing a very big question mark on the idea itself of IoT.
One example is described in the research “House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide” published by SEC Consult, which shows how many hosts, typically home and SOHO routers for internet access, use the same cryptographic keys, which are public and well know, so that anyone can impersonate them and anyone who can intercept their traffic can decrypt it.
Even if the impacts of this vulnerability are probably not very high, it seems extremely difficult to fix, since the new devices will be fixed but the millions already in use will probably never be fixed and will remain active for a few more years.
Even more worrisome is that these are IT devices developed, built and sold by IT companies that should known about IT and IT security. What will happen when billions of devices will be connected to internet (the real IoT) developed, built and sold by non IT companies?
This news is a very good example of how IT security is generally perceived, almost like an annoying add-on or an after-thought, in any case better to think about it later …
Security should be one of the pillar of any IT product and service but very seldom it is.
It will be very interesting to see how Security and IoT (Internet of Things) will go together, the first glimpses are not promising even if many people warn of the possible disasters ahead.