Everything including the kitchen sink: securing the Internet of Things
Posted by j.laird
on 13 June 2022 - 10:00am
By Dr. Domhnall Carlin, EPSRC RSE Fellow.
When the world woke up one morning working from home, the extension of the traditional corporate network to encompass the domestic home (and its average of 9 connected devices ) turned traditional perimeter-based computer security of 40 years on its head.
The Internet of Things (IoT) represents just the next incremental step in the evolution of the internet. From its early days connecting major universities, the epochal breakthrough of connecting home PCs to the internet in the 90s quickly gave rise to the inter-connection of individuals in the 2000s through convergent devices. As the first quarter of this century draws to a close, computers are no longer noisy white boxes. They’re light bulbs, door locks, dolls, security cameras, baby monitors and coffee pots. The IoT has become ubiquitous, with a seemingly unending scope for connecting previously unconnected devices, yet the security posture lags far behind the creativity of deployment. As networks are only as secure as their weakest links, insecure IoT devices are low-hanging fruit for attackers trying to gain a foothold into a network, whether in the home, enterprise or industry. Indeed, large-volume, lacking in security, constantly on and pervasively connected to the internet is the stuff of which hackers dream.
In 2020, it was estimated that the number of connected IoT devices had overtaken traditional devices (including PCs and phones), with over 12 billion connections. This is predicted to more than double before the end of 2025 . While the growth in devices has exploded, securing these devices is still an immense challenge. In the first half of 2021, Kaspersky detected 1.5 billion attacks on smart device honeypots, up over 134% on the same period in 2020 . This trend is escalating, with IoT devices now responsible for 32.72% of all infections observed in mobile networks, up 100% from 2019 . As Panasonic state: “Even with security activities that cover the product lifecycle from threat analysis to incident response, these challenges remain” .
So? What’s the worst that can happen?
Last year, Reddit user u/smunson posted a question in the r/smarthome subreddit regarding their LG smart tumble dryer . Smunson had detected the appliance sending and receiving over 1GB of network traffic to an Amazon cloud instance and wanted to crowd-source some opinions. Whether this was indeed a security issue, or an update gone awry (or money laundering as suggested in one reply), the fact that discussing a tumble dryer using as much traffic as a few hours of Netflix is even entertainable shows the landscape of these devices.
The notorious Mirai botnet of 2016 turned millions of IoT devices into a botnet army, capable of delivering DDoS (Distributed Denial of Service) attacks on multiple targets, including French webhost OVH (1Tbit/s) and DynDNS. This rendered dozens of popular websites (e.g. GitHub, Twitter, Reddit, Netflix, Amazon, BBC) inaccessible. The cause of infection? Default usernames and passwords on the devices. Five years later, anti-DDoS provider CloudFlare mitigated the largest volumetric DDoS attack in history, peaking at 17.2 million HTTP requests per second. The culprit? Mirai.
In 2021, Talos described a methodology to attack an IoT Airfryer using a classic buffer overflow , a relatively ancient attack, described as far back as 1972 . This allowed an attacker to execute remote code on the device, altering temperatures and remotely activating it. The manufacturer released an update to patch these vulnerabilities one week later. While this is as commendable as it was speedy, the question remains- could/would/should the average consumer patch their airfryer of a Sunday evening? What about the devices that can’t simply be updated or patched?
If malicious code can be pushed onto a device, the old security geek adage of ‘malware begets malware’ suggests something even worse is almost certainly yet to come. There’s limited resistance against automated threats like these and security company Sophos expects attacks on consumer electronics ‘to continue unabated in 2022’ .
Why is this the case?
Vulnerabilities exist across several axes: the device, the communication protocol and the apps or cloud services used to control them. Device-based issues include hard-coded and unchangeable passwords, weak or nonexistent authentication, easily discovered factory defaults, but most dangerous is the difficulty in updating the device. Cheap consumer IoT devices tend to use off-the-shelf communication stacks, but these can be old and vulnerable. Multiply this by tens of millions of devices and you have an attack surface that is practically undefendable. Similarly, the controlling apps can use hardcoded credentials, be over-privileged and coded to unintentionally leak sensitive data.
Is this fixable?
The disparity, pricing and availability of consumer IoT devices makes securing them a huge socio-technical challenge. The UK Government announced the Product Security and Telecommunications Infrastructure (PSTI) Bill in 2021, which is currently being debated in parliament. The Product Security measures (Part 1 of the Bill) aspect gives ministers powers to specify minimum security requirements for consumer IoT devices, shifting the onus for compliance onto the manufacturers and distributors, who face fines of up to £10million or 4% of global revenue for breaches . The consultation work  for the PSTI Bill showed that fewer than half of respondents considered security features to be important in the decision-making process for buying an IoT device. Of these, nearly ¾ expected it to be built in, and 1 in 10 stated that security simply wasn’t relevant when buying a device. While the bill offers some welcome steps, they must also go hand-in-hand with consumer mindset shifts to address the human factor in security.
There is clearly an urgent need for novel research on increasing the security posture of such devices, and in providing solutions capable of being implemented in light-weight contexts against future and emerging attacks. More information on the work of my EPSRC RSE Fellowship in addressing these challenges can be found on the RSE society website.