There is a lot of press coverage on what is called ‘The Internet of Things’, or abbreviated to IoT.
What is IoT?
This is a collection of devices that are not typically identified as computers. They can be anything from:
- Light bulbs connected to a home automation system
- Domestic appliances
- Sensors on industrial plant
- Industrial Robots
- Systems in autonomous cars
- Components that make up non-autonomous cars
- Satellite Navigation
- Automated braking systems
- Networking and Communications Infrastructure
- Aviation systems
- Space Telescopes
- Hospital/medical instruments (e.g. ECG, drug pumps, other diagnostic equipment
- Storage systems (e.g. your NAS)
- Routers (e.g. the one you are using right now to access the Internet
- Access control systems (e.g. your office lock/pass)
- Office equipment (scanners, printers, phones)
- Smart TVs and Set-top Boxes including DVD/BlueRay players.
The list can go on, but you get the picture.
A question I ask people is ‘How many computers/micro-controllers did you use between waking up in the morning and leaving the house for work?’. Let’s list a few of them:
- Alarm clock
- Mobile Phone probably as your alarm clock
- Smart light bulbs
- Coffee Maker, Toaster, Microwave oven/Grill
- Washing Machine (maybe)
- Locking systems (if you have an internet connected lock on your front door)
- Smart Speaker (e.g. Alexa, Google Home, Apple Home-pod
And when you leave for work, you will probably use your car, or some other automotive transport, and that is a vast collection of automated systems that fall into this category.
These IoT devices are everywhere and you probably don’t even know of their presence. And now we are connecting the locks to our homes and offices to the internet, as well as our domestic appliances.
The Issue/Threat Surface
A lot of these devices, particularly industrial systems, are often secured behind some form of security system. However you might be amazed to hear that a lot of Hospital and medicare systems are not and they are wide open to a hackers accessing them and changing their settings. In the context of medicare systems (e.g. diagnostic devices like X-Rays, ECG, MRI, drug pumps), a change in the settings can be lethal (e.g. a drug pump that is reset by a hacker to increase the dose of a medication to lethal levels). The saving grace is that a lot of these devices need local access to the network to tamper with them, but it is not impossible to gain access to hospital networks and from there these devices can be accessed remotely.
The danger from these devices is that they often do not require any form of authentication to operate and also run on outdated embedded software that is not maintained by the vendor. This also extends to the services these devices use to provide their function, e.g. in the case of a door bell/door monitoring system there will be a subscription service that performs that monitoring and provides the owner with alerts when someone comes to the door.
Some IoT devices operate on custom built software that is easy to embed into a chip the size of a pinhead. This is what is in your smart light bulb. These often connect to your home WiFi router and then to some form of controller that is often a smart speaker (e.g Alexa or Google Home). At this point you will say a voice command and the lights come on in the room you specify. There are a lot of connected devices that make up the smart home that come into this category (e.g. light bulbs, appliances, door locks, music and entertainment systems) all controlled by your voice.
Most of these domestic systems are built in a factory based on a version of the software that is never updated. If a vulnerability is detected, it might get fixed for devices manufactured after that date but the existing devices that have been manufactured are never updated. You therefore have a cyber attack time bomb waiting to go off in your home.
Then we get up to the next level of device that requites more functionality. This is often a real-time operating system (RTOS) based on the Linux kernel that has been stripped back to provide just the features that your appliance requires. This will often be present in your domestic appliances and more industrial applications. Again, these devices are manufactured and often never updated.
A set of vulnerabilities have recently been discovered in such a RTOS called VxWorks. This is an embedded operating system that is used across 2 Billion IoT devices ranging across applications in:
- Space telescopes
- Automotive systems
- Consumer Electronics
- Industrial Robots
- Test and Measurement devices
- Micro controllers
- Storage Systems
- Networking and Communications.
In short, you probably have at least one device with VxWorks embedded into it. Also the NASA Mars rovers (Sojourner, Spirit, Opportunity) have it onboard. While the company who produces VxWorks has fully patched these vulnerabilities, there will be a lot of devices that will never be patched. If you want to read more about VxWorks, please take a look at this WikiPedia article. If you want to read ore about these vulnerabilities, Bleeping Computer has a good set of articles.
How to Discover Vulnerable IoT Devices
There is a service called Shodan (https://www.shodan.io/) that regularly scans the internet for IoT devices as well as servers and other devices connected to the Internet.
Try searching for webcams using this link https://www.shodan.io/search?query=Server%3A+SQ-WEBCAM and you will see a large number of webcams open to the Internet – see below:
Even more alarming is a search for routers with default passwords:
If you know what you are looking for, you can define a search pattern that locates many IoT devices and servers, for example with open RDP ports.
You may have heard of the recent antics related to the You-tuber PewDiePie and the efforts by his supporters to keep him at the as the most subscribed you tuber. Hackers used Shodan to find printers with a particular vulnerability, and then used an exploit kit called PRinter Exploitation Toolkit (PRET – easily obtainable from the Internet and GitHub) to send printed messages asking the owners to subscribe to PewDiePie on Youtube. This was happening towards the end of 2018.
I recently blogged about the BlueKeep vulnerability. A researcher did a Shodan search for servers vulnerable to this bug and found over a million vulnerable servers open to the internet.
You can check to see if your IoT devices are listed on Shodan by using a service called BullGuard. Shodan also have a facility to actively monitor your IoT devices which you need to sign-up for and pay a monthly subscription (and it isn’t cheap).
Shodan is a very useful tool that is used by security researchers and in-house security teams at companies/enterprises every day to asses the impact of security bugs on their own infrastructure. However, like all tools they can be used for good as well as bad and cyber attackers also use Shodan to find easy targets for their malware.
What can I do to secure my IoT Devices?
Lets switch up a gear and consider the situation with your Windows PC for a moment (which is technically an IoT device too). You buy a new PC and connect it to the internet via your WiFi router. The first thing it does is activate your Microsoft account and licenses the OS via the Internet. The second thing it does is look for updates. That PC may have been manufactured months before and may be on the previous version of Windows. The system will then bring the PC up to date by installing the latest feature update, any cumulative updates and device driver updates waiting to be installed. We have all experienced this when we buy a new PC (even on Macs as wel as our smart phones).
So, you maybe asking me why our IoT deivces don’t do the same thing? In most cases they don’t because they are not supported to the same level as a PC. Some devices do (e.g. my HP Printer regularly phones home and updates its software) and it’s likely that some high end consumer electronics also update themselves. However, the vast amount of IoT devices just don’t get maintained in this way. This creates a massive attack surface for would be hackers.
Here are few tips on securing your own IoT devices.
TIP 1 – Updates!! Make sure that the device you are installing is capable of being updated via the internet from its manufacturer. You will need to do some research before you buy. Devices that are covered will be covered for a few years from manufacture, and a device you buy may already be out of date.
TIP 2 – Lock down your Router. This is a bit technical, and you will need to find these things in your particular router. However, you need to disable the following services in your router:
- Remote desktop connections
- Plug-and Play
- TelNet and FTP
- Port Forwarding
- Dynamic DNS
- Static Routes
- Remote Management.
You also need to provide at least WPA2-PSK security and a strong WiFi password to avoid anyone connecting to your router from outside your home/office and probing your home/office network. For professional/enterprise networks, a 2-factor authentication process would be advised.
If you are in an office, don’t put your router in a public place (e.g. on your reception desk) and at home not in plain view from a window or door. Knowing what router you have gives any would be hacker the Model/version number and it is very easy to determine if there are any unpatched vulnerabilities they can exploit.
You should also regularly update the router firmware.
TIP 3 – Secure the IoT Device. Where possible password protect any IoT device you install, and/or enable any security measures available for the device. These are few and far between, so at the least you need to secure the access to any settings via smart speakers and control devices.
What needs to happen with IoT
The Internet of Things concept emerged around 20 years ago (1999). Now, in 2019 there are over 7 Billion IoT devices in the world and this is set to explode when 5G cellular devices come on line. Some researchers predict that there will be over 21 Billion IoT devices in the world by 2025 and if we go on at the same pace most of these devices will not be secured.
IoT devices need to be designed with security in mind – a practice that is woefully inadequate today in 2019.
Microsoft have a massive investment in IoT and have developed an IoT device that has security built in by design and can be configured for most applications. If you want to hear more on this take a look at their blog on this. More manufactures need to take this example and change their designs.
IoT Devices have to be subject to regular system updates, similar to our PC’s and phones. The first time they are switched on they need to phone home for any updates and install them before they are online. However, this is expensive and when you are talking about cheap knock-off devices these will never be subject to this.
We have seen many incidents where door locks sourced from cheap Chinese manufacturers have been surprisingly vulnerable. Also an issue with the bigger names. You need to do your research.
My view is that the IoT industry need to put their own house in order. They have to start designing security and patching into their devices. If this costs more then so be it. However, this is not happening at the moment and it may take a high profile case to kick-start this process and for legislation to be enacted to force this practice.
As of today in 2019, I will never install an IoT device into my home or office that cannot be updated and cannot be secured. This basically means my home will never be a smart home until the current situation regarding security is addressed.
If you are setting up industrial systems, then you need a good integrator who understands the security implications of these devices.
Headline image provided by ShutterStock