Non-existent IoT security is a menace for everyone

It's always been true that when it comes to digital devices and software, convenience trumps security every time. But a lackadaisical attitude towards security invariably comes back to bite product developers, businesses and users, just ask anyone associated with Ashley Madison.

Over time, the accumulation of security failures and associated cleanup costs in credit monitoring services, customer outreach, media spin, reputation damage and lost business eventually leads to more vigilance in affected industries. Sadly, in our hyper-connected age, security indifference by one organization or industry can cause big problems for everyone else.

We're starting to see an explosion of such externalities with the proliferation of quasi-intelligent, connected devices collectively known as the IoT. It turns out that many (most?) of these cheap products have enough computational horsepower to do wreak havoc on networks, but are so easily hacked that they can be amassed into vast armies of bots used to carry out cyber attacks of unprecedented scale.

Sadly, given the thin margins, disposable nature and origin of these devices, there's little hope that IoT security will improve anytime soon; the best organizations can do is prepare for the onslaught.

As I wrote in "Making the case for cyber insurance", cheap connected, single-purpose devices like IP surveillance cameras, set top boxes, baby monitors and thermostats that are creeping into every corner of home and business life were responsible for the largest DDoS attack yet seen by a major CDN and that knocked a popular security researcher's Website offline for days.

It took no less than the help of Google to restore Brian Krebs' site by deflecting the stream of network noise that was choking his servers. As Krebs points out, most of these devices cost under $100 and are sold at such tight margins that security is an afterthought.

Worse yet, there is absolutely no incentive for a device manufacturer, or the user, to care about or invest in better security: hacked devices continued to work and owners were completely unaware of any nefarious activity.

Like other forms of industrial pollution, what's good for the business is bad for society at large. Why invest in coal scrubbers, water filtration systems or toxic waste recapture when it's cheaper and easier to let it flow into the environment? The same mismatch between personal and societal goods is now apparent in flood of IoT devices polluting our networks.

IoT network pollution

In the course of investigating the DDoS attack on Krebs, the security consultancy Flashpoint found that many of the compromised devices comprising the bot army were traceable to a single Chinese manufacturer. The devices used a widely known default username and password that virtually no customer bothers, or even knows how to change. According to Flashpoint's analysis,

"These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability."

Many IoT devices are easily compromised via relatively simple malware that turns them into bots subject to a command and control server. Worse still, if users even knew enough to change the Web password, the devices can still be reached via telnet using the default credentials that aren't affected by the Web portal. Akamai, which was the CDN overwhelmed by the Krebs attack, has been researching IoT attacks and mitigation tactics and in a blog summarizing its findings notes that

"In the Internet of Things, device owners are often at the mercy of vendor updates in order to remove their devices from the pool of botnet nodes. In some cases, IoT devices are entirely unpatchable and will remain vulnerable until removed from service."

It's a relatively simple matter to use a search engine to find all connected devices returning Web headers indicating they are vulnerable to the Mirai malware, which Flashpoint found to number 515,000. Now that the source code for this vulnerability has been publicly released on hacker forums, Krebs correctly concludes that it "virtually guarantees that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." Security expert Bruce Schneier reaches the same conclusion and says like other industrial externalities, regulation is the only near-term answer,

"What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure."

Indeed, the European Commission is planning to draft changes to EU telecommunications law with security and data privacy standards for IoT devices and a multi-step certification process to ensure compliance.

My take

Cyber security is a global problem and the abuse of cheap, hackable IoT devices to create botnets is growing threat, however given the fact that international organizations have been unable to agree on the basics of cyber war and peace, I'm skeptical that effective multilateral regulations can be drafted in the near term.

It is plausible that individual nations could treat and regulated connected devices as potential hazards to public safety, much as they do drugs and other consumer products, however this would require another testing regime and added inspection work to already overburdened Customs agents.

The U.S. FDA, a $4.5+ billion agency with almost half the budget covered by user fees, is one model for crafting and enforcing network device security regulations. But it is highly unlikely considering the gridlock in Washington where the last significant regulations resulted from the near collapse of our financial system.

Even with the benefit of government power, it's virtually impossible to keep non-compliant products from leaking into the system.

The best short-term tactic to counter IoT threats is to extend existing initiatives to share security best practices, threat intelligence, diagnostic and mitigation tools and software patches.

Organizations should also be more discerning when buying connected devices and should always segment networks into application- and role-based security zones with well-monitored control points.

The IoT security situation is so dire that a Twitter user, now with 144,000 followers, has tweaked the acronym by substituting fecal matter for the third letter. Predictably, IoS has become a meme among security experts. Until we have uniform standards and collective controls on connected device security, individuals and organizations will bear the brunt of network sanitation.