On the Security of “Things”
The security ramifications of the "Internet of Things" (IoT) is a hot topic lately. That’s not to say the security community has not been aware of this problem; and dealing with it for some time (or ignoring it as the case may be). Back in 2007 I wrote a book about hacking Linksys home-based routers. It gave me a look inside an embedded system and provided me the foundation to begin to analyze security of such devices. What I have found since then, and other security researchers have highlighted, is a bit frightening. I sat down with Patrick Gray from the Risky Business podcast recently and had a chat about some of the major problems with the Internet of Things, and some potential solutions. You can listen to the audio from this interview here:
Below are some of the topics that Patrick and I discussed:
Why are consumer appliances often lacking security?
The battle for security of home-based appliances is largely based on economics. Companies who make routers, home automation, appliances (refrigerators, washers/dyers, and even toilets) compete heavily on price. Consumers want the lowest cost product, and price often trumps features. As such, the hardware and software are meeting bare minimum standards for functionality, let alone the added costs of security.
Hardware and software are meeting bare minimum standards for functionality
Why are they targeted?
Are these devices being targeted by evildoers? The short answer is yes. We’ve seen a rash of Linksys router worms this year alone, as well as some affecting DVR systems and storage devices. The question is why? Below are just a few reasons:
- First, take into consideration the definition of an embedded system: a special-purpose system in which the computer is completely encapsulated by the device it controls1. This means there is no monitor, mouse or keyboard, making it difficult (or near impossible) for the end user to determine if the device has been compromised.
- The computing power of embedded systems has increased dramatically in the past 10 years. Despite the fact that manufacturers are still using the cheapest parts, there are some storage devices that have more computing power than servers I administered at a university 10 years ago!
- Ubiquity is a factor. Small, special purpose devices are now everywhere. As older “things” break, they are replaced with newer “things” that have small computers in them, designed without security in mind (personally, I can’t wait for my toilet to die so I can get one with Wifi, heated seats, warm water jets and Twitter support).
Why are they vulnerable?
Mike Murray and I had a great conversation about why embedded systems, as a whole, are largely less secure than traditional desktops and such. I like to use the hammer analogy, as it’s likely manufactured with two design goals:
- The hammer functions to bang nails into wood and do other things you’d normally expect a hammer to do.
- Safety - the head doesn’t come flying off and crack someone in the head while you are using it.
What they are not designing a hammer for is to prevent a malicious actor from going on a rampage and whacking people in the kneecaps. This model works for a hammer; not so much for an Internet connected device. Manufacturers must now take into account the malicious actors, and think about what happens when you lose control of the system.
Embedded systems, as a whole, are largely less secure than traditional desktops
How does this impact the security of your organization?
On the corporate front, the technology adoption is growing; more companies have more embedded systems in the form of building automation, printers, physical security controls, voice and video bridges, DVRs and more. Just when you think this may be a problem just for the home user, take a look around your network and you will find lots of “things” that are connected, and in desperate need of security. Worse yet, many don’t fully understand what it takes, and how, to identify vulnerabilities in these systems.
What can we do about it?
Along the lines of making the world a better place, I believe a good place to start is with the manufacturers. We must help them understand the impact, and the security pitfalls of building a device using the current “forget about security” models. I’ve come up with my own list of 10 things manufacturers and developers can do better in order to produce much more security products:
- Do not put backdoors inside of firmware
- Never use default credentials
- Provide secure remote management software
- Use open-source software and drivers, NOT binary blobs
- Not use functions prone to overflow conditions (secure SDLC)
- Implement firmware and configuration encryption
- Provide easy-to-use & secure firmware updates (auto-updates)
- Implement secure web management interfaces
- Maintain a CIRT and provide a program for security researchers
- Implement protocol security / Implement secure protocols
Many don’t fully understand what it takes, and how, to identify vulnerabilities in these systems
There are other fantastic efforts going on in the space, such as http://builditsecure.ly/ and the cavalry movement, which are promoting similar concepts. I will be speaking more about this topic at some upcoming conferences, including Derbycon, SANS and the CCRI Security Day.