If hype cycles are anything to go by we’re almost certainly teetering on the brink of the trough of disillusionment with the IoT. Recent research claims that 60% of test deployments have failed. But while some pilot projects may have faltered there isn’t yet the weight of devices in deployment to suggest we’ve peaked. Rather, adoption itself seems to be faltering.
IoT adoption hasn’t been the runaway success envisaged and this is down to a number of issues. Firstly, the IoT-enablement of devices which don’t necessarily warrant this additional connectivity. Take the IoT fishtank which regulated feeding, water temperature and quality, says Ken Munro, partner at Pen Test Partners.
That may sound like a labour saving device but ultimately it saw a Casino where the tank was installed lose 10GB of data to a device in Finland. IoT security doesn’t stop at the device. What this illustrates is that such devices are being used to create exploitable backdoors on to networks, allowing the theft of credentials and data exfiltration.
Longevity concerns are also hampering adoption, with devices often swapped out rather than updated causing users to question the viability of the investment. Then there’s the question as to whether the manufacturer has the resource to fix any issues that may come to light?
Security vulnerabilities emerge over time and if that does happen and your devices need to be patched, will the manufacturer invest the time needed to oversee this or deny culpability or even withdraw support?
Protecting the existing installed base is a real headache for manufacturers. If you peruse the Shodan website you’ll see hosts of deployed IoT equipment (and worryingly even Industrial Control Systems) with details on the IP address, the operating system run, and the version of software in use. And the FCC helpfully publishes the schematics for soon-to-be-released IoT devices complete with circuit diagrams for those wanting some up close detail.
In many cases, an attacker can identify devices from Shodan and simply obtain the default credentials to gain access. We once found a handy ‘super password’ list of daily log-on credentials for the entire year published on social media site by a technician. Clearly, supply chain security tends to be lax, with this case illustrating just how easy it is to get hold of ‘confidential’ data.
Struggling in the face of these odds, manufacturers are now looking to sell on data to third parties. That may make sense commercially but it further compromises the security and privacy of the userbase. It could see the floor plans for your office, for instance, sold on if you’re the user of an IoT vacuum cleaner. And what if that information makes its way on to the blackmarket? Building Management System (BMS) data could be particularly useful. Think of the extortion that would be possible if an attacker were to put ransomware over smart thermostats.
Solving the problem
The cynical among you will be questioning whether the end user shouldn’t also shoulder some of the responsibility and it’s true that few reconfigure devices upon set-up. That’s partly because it can be very difficult to do so. If you do succeed, have you also changed the default PIN on mobile apps or web apps which are used to control the device? It’s still questionable if this is worth doing given that a four or six digit PIN takes a matter of hours to crack.
The current lack of confidence can only be attributed to poor security and that means manufacturers need to up their game. They need to attend to secure mobile app development, strong session management and encryption on web services, secure implementation of the chosen wireless standard, and on the device itself, disable unused functionality such as serial ports or debug ports, apply obfuscation techniques and implement secure key storage while the firmware should be encrypted and signed.
Regrettably, until vendors begin prioritising security, IoT adoption will falter. It only takes another audacious malware attack, perhaps over a universal interface such as port 80, to damage uptake irreparably. Right now the industry needs to focus on building trust and that means adopting either self-imposed or legislative regulation.
The author of this blog is Ken Munro, partner at Pen Test Partners