The unlikelihood of 'IoT, secure by design,' and what we can do about it

The concept “secure by design” focuses on a number of recommendations to make IoT devices more secure. The most important of these recommendations is an ability for the user to update the firmware on these devices. Unfortunately, this recommendation does not go far enough, as evidenced by user behavior in the WannaCry ransomware attack. Instead, IoT devices must be backed by a service that updates its firmware and monitors its behavior; but, this is an expectation that fundamentally clashes with IoT manufacturers’ business models and operations.

In October 2016, Dyn fell victim to the largest distributed denial-of-service attack. The source of all that traffic was mostly tens of thousands of webcams that had been infiltrated by the Mirai botnet. We recently analyzed the webcam models involved in that attack and discovered that most of those manufacturers are still selling those same models of cameras and continuing to support them. However, the majority of those cameras do not support automatic updates.

Why is this significant? In March of this year, the UK Government published a report “Secure by Design: Improving the cyber security of consumer Internet of Things.” In that report, the authors list 13 recommendations for the industry to adopt in order to make IoT devices more secure. The most important three recommendations are:

1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated

Most of the devices that participated in that 2016 Dyn attack were infiltrated because of default passwords, so we can see the reason for recommendation number one above. However, we know that the latest generations of malware and botnets have gotten much more sophisticated: They are now not only targeting default credentials, but also targeting known vulnerabilities.

A recent example of one such sophisticated attack was VPNFilter, wherein the primary attack vector was through known vulnerabilities in router and network-attached storage devices. That is why recommendation number three is so important: We know that no matter how secure we think the software we release today is, the odds are that a security vulnerability will soon be discovered in that software or, more likely, in one of the libraries we have used to build that software.

Still, giving a user a way to manually update the software (including firmware) on an IoT device is not enough.

On our network, we have identified hundreds of devices from major manufacturers that are vulnerable to the libupnp buffer overflow vulnerability discovered by Rapid7 in 2012. The vulnerability was in the underlying libupn library and was patched by January of 2013; yet, more than five years later, we still see devices that are vulnerable! The bottom line: Many of these devices do have firmware updates, but the problem is that manually updating these devices is hard.

For example, how many Samsung TV users would know that they needed to initiate the update process for their Samsung Smart TV? For routers, it is even worse. The typical update instructions require you to:

1. Determine which model you have. (If you get it wrong you could damage your router — oh, and there could be a specific hardware version, too.)
2. Find the firmware for that model on the router manufacturer’s website. (If you get this wrong, you could damage your router.)
3. Download the firmware locally to your computer.
4. Unzip the file.
5. Go to your router user interface, for example, http://192.168.0.1 (Does the average person even know how to do that?)
6. Log into your router. (Does anyone know the credentials to log into your router? Oh, and they shouldn’t be fixed and available in the manual; otherwise, that violates rule number one!)
7. Go to the firmware update page on your router.
8. Upload the firmware file from your computer to your router and upgrade. (Oh, and most manufacturers don’t recommend you do it over wireless (who has an Ethernet port on their laptop these days?)
9. Finally, this upgrade may reset all your router settings back to the factory settings, so you must be ready to reconfigure the router with your SSID and password.

So what can be done? The only answer: Automatic updates for the lifetime of the device. IoT devices need to be managed by a back-end service that ensures security issues are patched as soon as the patch is available. That service should also monitor the behavior of the IoT device to affirm it’s behaving within the bounds of its normal operating parameters.

Now, for the next question, are consumer electronics companies capable of building and maintaining an effective back-end service? I think not. While established consumer electronics companies are now enabling their products to connect to the internet, they lack the expertise to build back-end services that can scale to millions of IoT devices. In addition, their current business model of selling an IoT device for a one-time-low-margin-profit does not support the cost of running a back-end service for the lifetime of that device.

Due to consumer focus on security, regulatory pressure and standards-based initiatives (like the Open Connectivity Foundation), we can expect companies to release more and more IoT devices that are fully managed by a back-end service. However, this process will likely take years, and even then, there will still be millions of insecure devices in homes.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.