The Hunt for IoT: The Opportunity and Impact of Hacked IoT
- by nlqip
What is the Problem with IoT Security?
Security guru Dan Geer notes that the cybersecurity industry came of age with the introduction of Windows 95 and its built-in TCP/IP stack. Suddenly every home computer was on the Internet in a world “where every sociopath is your next-door neighbor.” These home computers were poorly administered by amateurs. At that point, malware and cybercrime became the Internet’s fastest growing enterprise. Today, we are repeating that mistake with a global pandemic of compromised IoT devices. Specifically, the hockey stick growth maps of cyber-mayhem look unnervingly, similar to what we experienced 24 years ago with PCs.
Consumer-Grade Technology
To begin with, most IoT devices lack nearly all of the security features of a mature, robust, general-purpose home computer system. And that’s saying a lot, if you consider the “security features” of your average home computer. But IoT is even weaker. How weak? Well…
Most don’t have any automatic patching capability, much less a system to warn the operator of the need to patch. They use extremely poor authentication mechanisms—our IoT Security is dependent on a telnet password of 12345. They usually don’t have forensic capability and, in many cases, not even logging functions. If they do, logging is lightweight or easily compromised by an attacker. Manufacturers rarely provide “secure” modes of operation or hardening procedures to lock down features. In fact, most IoT devices rarely offer any precautions to their users about placing these devices on the Internet or that any dangers exist at all.
The Monoculture Problem
Nearly all IoT operating systems are derived from Linux, because of its portability, speed, and open, free license. A decade ago, Linux malware was very rare. With the growth of IoT and Android, Linux malware is rivaling Windows malware in prevalence. And like the old worries about Windows, we have a serious “monoculture” problem. In agriculture, a monoculture refers to a single species of crop or livestock that is vulnerable to a single disease that could wipe out the entire population in a single pandemic. In 2003, security pundit Bruce Schneier noted, “The basic problem with a monoculture is that it’s all vulnerable to the same attack.” A single IoT exploit or malware/thingbot is a weapon that can be used to attack thousands, if not millions, of IoT devices with a click of the mouse.
Lack of Security Tools
Since we just talked about the power and prevalence of IoT malware, we should mention that, if an attack were to strike, you don’t have much recourse except to reflash the software (assuming it’s possible and you can figure out how) or throw the device away. The anti-virus market for Linux-based systems, much less IoT devices, is not nearly as mature or sophisticated as the Windows market. Of course, anti-virus is highly unlikely to be installable on an IoT device. Because of the size and limited capability of these devices, there are no on-box security tools available for IoT devices. Those that are available mostly work off box, on the network to which the IoT device is connected, which provides significantly less visibility and control over the device itself.
Abundance of Long-lived, Unpatched Vulnerabilities
The average lifespan of a refrigerator is 17 years. Can you imagine how quickly a 17-year old operating system would be hacked when connected on the open Internet? IoT devices may or may not have more vulnerabilities than any other nascent platform. But as we said, these devices are rarely patched and poorly managed, but also ubiquitous and numerous.
Let’s look closer at the lifespan of an IoT vulnerability.
Step | Parties involved | What Happens | Magnitude | If not? |
---|---|---|---|---|
Blissful Ignorance Zone | ||||
1. Discovering the IoT vulnerabilities | Researchers and attackers | Who finds these holes? Those incentivized to do so: security researchers and the attackers. | Likely a large number of disclosed and undisclosed vulnerabilities | Vulnerability remains undiscovered |
2. Disclosing the IoT vulnerabilities | Researchers and attackers | Attackers will not tell anyone about the holes they’re exploiting. Responsible security researchers will only tell the IoT manufacturers. | A subset of the previous | The vulnerability remains known only to the attacker community |
Danger zone – Zero-day territory | ||||
3. Accepting the Vulnerability | IoT manufacturers and security researchers | Tell the manufacturer about the vuln… but, can you find the right company? does company still exist? Will they listen to vuln reports? | A subset of the previous | The vulnerability is published as a zero-day in a free-for-all hacking extravaganza |
4. Publishing the IoT Vulnerabilities | IoT manufacturers and security researchers | Does IoT manufacturer even consider this a vuln? Are they willing to disclose? | A subset of the previous | The vulnerability remains hidden or released as a zero-day |
Extreme Danger Zone – Vulnerability known | ||||
5. Creating the patches for the IoT vulnerabilities | IoT manufacturers | Is IoT manufacturer willing and able to create patch? | A subset of the previous | The vulnerability remains unpatched but now becomes widely known amongst attackers |
6. Awareness of the patch | IoT manufacturers and IoT owners | Does IoT manufacturer have a mechanism to notify owner? Are the IoT listening? | A subset of the previous | The vulnerability remains unpatched but now becomes widely known amongst attackers |
7. Applying the patches to the IoT vulnerabilities | IoT owners | Is IoT owner capable of applying the patch correctly? Even at best, many organizations can only patch 1 in 10 holes | A subset of the previous | The vulnerability remains unpatched but now becomes widely known amongst attackers |
Source link
lol
What is the Problem with IoT Security? Security guru Dan Geer notes that the cybersecurity industry came of age with the introduction of Windows 95 and its built-in TCP/IP stack. Suddenly every home computer was on the Internet in a world “where every sociopath is your next-door neighbor.” These home computers were poorly administered by…