Dealing With the Internet of Things

The other day, I attended a meeting of the North Texas chapter of ISACA.  There, the information technology veteran, Austin Hutton, gave a presentation on the dangers of the Internet of Things (IoT).  I have written about the IoT and how it can be used to devastating effect.  One of the problems that Hutton talked about is that there are more IoT devices than there are people on earth.   Thousands are being manufactured and sold each day, and each one of these devices can be hacked to assist in an attack.  And the problem is getting bigger.

Most of those devices were poorly designed, and thus have no way of being updated.  The companies who make these devices have thin profit margins, so they cannot afford to make them secure.  In some cases, the manufacturer buy the chips from other companies, so they are not directly responsible for its security.  The average IoT device can be easily hacked: a number of them have easy to crack passwords, or have flaws that were not detected when they were being designed.  There are even programs which can auto-hack some of these devices.  All the hacker needs to do is learn the make and model of the IoT device, select the program, sit back, and gain control over it.  For those devices which are used as intended, they may be doing something illegal.

Hutton gave the example of a Tempur-Pedic bed which can send the user’s data back to Tempur-Pedic for analysis so as to improve the user’s experience.  He then gave an example of someone else (specifically, his 14-year-old granddaughter) sleeping in the bed, and their data being sent to Tempur-Pedic without their permission.  This can be considered breaking the law because she’s a minor.  How would that situation be resolved?  How can we at least minimize the damage from IoT devices?

For one, education.  Though companies are really selling the convenience of IoT devices, consumers must learn how harmful IoT devices can be.  The public needs to learn that these devices can be used to cause harm to our cities, and possibly to themselves.  Recently, the business of a utilities company in Finland was disrupted due to a DDoS attack, resulting in the heating for their customers being disabled.  What if this was the smart thermostats of many of their customers getting hacked?  The attacker could lower the temperatures in these houses, or disable the thermostat, which would be a dangerous situation to homes in Finland during the winter. How else could these devices be attacked?  An attendant to the meeting, David Hayes of Verizon, had one other scenario.

There are utility companies in North America and Europe that use monitors called SCADAs which can remotely control machines vital to a functioning city (one example is the water pumps which keep drinking water flowing through the city).  What if, Hayes suggested, a hacker takes control of these pumps, and threatens to take them offline, or even increases their work to the point of destroying them, unless he is paid $100,000?  Now we’re starting to see the cost of this problem.  This cost will only increase, as malicious hackers devise ways of misusing these IoT devices.

Another way we can minimize the damage from IoT devices is to ensure that your IoT devices can be modified such that only you can control it.  If you can change the password, do it.  Check that a default root password hasn’t been hardcoded into the device.  If you can, find a device that can be updated (though few IoT devices have the capacity to be updated).  On the government side, we’re going to need some form of  oversight.  For instance, no IoT device bought by  the government can lack the ability to be updated.  How about current IoT devices?  There is little we can do about them.  If we’re dependent on them, then it’s going to be difficult to replace them.  Maybe for the average person it’s easy to change their IoT lightbulbs.  But how can a maintenance manager at a company tell his bosses that, due to the threats these IoT devices have to the security of the company, they all have to be changed.  How much will that cost?

This is a growing problem that will grow more as these hacked IoT devices are used to facilitate these attacks.  It is imperative that this problem be addressed now, rather then have some catastrophe occur, and involve the lives of thousands.

The Problems With the Internet of Things

As more and more Internet of Things (IoT) devices are bought and set up, there is a growing concern for what they can do, in addition to their normal purpose.  The security researcher, Brian Krebs, had his website brought down by a Distributed Denial of Service (DDoS) attack.  The company who formerly hosted Krebs and his security, Akamai, said that the attack was brought on by hundreds of hacked IoT devices (he has since started using Google’s protective services).  This didn’t use reflection or replication attacks, either; it used traditional methods of denial of service, by flooding his site for requests.  Akamai says that this is the largest DDoS they have ever seen.  This brings me to the question: how can we prevent and/or mitigate these sort of attacks?

This attack was brought on mainly by unsecured, un-maintained IoT devices.  More recently, these devices have been manufactured, released, and not updated.  The average consumer of these IoT devices know that the features of the device make it such that one can easily control it from afar, often times with one’s mobile phone.  What they do not realize is that hackers can also break into these devices and use them, too.  Often, the manufacturer will throw in a free OS (such as GNU/Linux), add on their thin, proprietary layer, and sell it.  They do not realize the problem they are creating, as exemplified in the attack on Krebs’ website.

It is true that there is a cost to updating and maintaining these devices.  Which company wants to have a costly developer staff just to update the software on their line of light bulbs?  Then again, which company wants to be known for the product which aided in bringing down Google’s servers?  Either way, there’s going to have to be a way for these devices to get updated.

Usually what a user will find on these IoT devices is an embedded OS like GNU/Linux.  So why not develop a distribution that utilizes open standards and receives regular update?  Similar to Android, yet with stricter guidelines.  A company could, for instance, set up a distribution with safety, compatibility, and interoperability in mind.  They could work with the IoT device manufacturers in making products that work together, and can be updated regularly.  Though let’s not just talk about the manufacturers; the consumer also has a responsibility, too.  (It’s worth noting that there is an embedded GNU/Linux distribution that can be easily built and configured for IoT devices.)

The average consumer of IoT devices will have to learn about the extended benefits of these IoT devices, and they must realize that they come with a much greater risk.  Indeed, one cannot put a simple toaster in the same category as a light bulb which one can control with a mobile phone.  They must be made aware that an attacker can take control of their IoT devices and used for malicious purposes.  This doesn’t mean that they need to be scared into acting, though, because actions made in fear are, often times, poor choices.  They should be informed that it’s possible for this to occur, and that there are forces in place which are trying to counter these attacks.

Going forward, companies that make IoT devices, and consumers of IoT devices, must be more safety conscious, for there are malicious forces in the world who are ready and able to make use of these devices for their own nefarious purposes.