Size doesn’t matter in IoT security

Not to say I told you so, but, well, I told you so. For awhile, I’ve been warning about the security threat posed by Internet of Things devices. And last Friday we saw what happens when poorly skilled programmers pair up with executives who want to make every device smart: security becomes an afterthought, leading to a massive DDoS attack that crippled the Internet.

Unfortunately, this probably won’t be the latest attack attributed to Mirai malware and the botnet it created from 500,000 IoT devices. And don’t expect IoT security to improve. Programmers will continue to use vulnerable code to program IoT devices. They’ll treat C like it’s a basic scripting language. And when it comes time to dream up the next connected device, product security won’t be included in the initial conversations since this would impede deadlines and, ultimately, sales.

Too little, too late

Now, I’ll give some credit (but not too much) to the companies that are improving the security of their products after realizing just how vulnerable they are to attacks. A Chinese electronic manufacturer said its devices will now ask people to change the default log-in credentials when they use the products for the first time. This raises the question of why it took a huge Internet outage to convey the importance of changing passwords. Another positive step: my wireless router automatically updates its firmware. Great! Figuring out how to pull off that technological challenge only took 10 years.

But why has it taken this long for device makers to include these features in their products? Connected devices have been around for at least a decade. And for the security conscious consumers who wanted to update firmware and change passwords on their own, why are these options difficult to carry out? On a related note, television makers need to step up their game. I port scanned my new smart tv (crashing it in the process) and discovered an open port that says “Hello world” when you connect to it.

To infiltrate IoT devices, attackers keep it simple

This brings up one of the things that upsets me the most about the Mirai malware: the basic infection vector it uses. Instead of searching for vulnerabilities or carrying out some amazing hack, the program infiltrated devices by guessing default log-ins and passwords. This is probably the lamest attack vector out there. The attackers could have been stealthier and covered their tracks but why should they have to work harder when programmers make it so easy to pop devices?

And popping smart toasters, wine openers and other devices is really, really easy. I explained just how simple it is in a lecture. For more evidence, visit Exploit Database, which offers countless examples of poor embedded device security. If you know what you’re looking at, infiltrating a device doesn’t require using sophisticated techniques. People are spending thousands of dollars on firewalls but right before their firewalls there’s a $10 modem that’s completely vulnerable. Look at the Hacking Team breach. A router was used as the initial penetration vector. While it’s annoying when Netflix and Twitter are down, having all your sensitive data stolen and posted on the Internet because of the poor security in your cheap router is far worse.

Small devices aren’t automatically secure devices

Ultimately, your smart whatever is still a computer, regardless of it’s size. It has a processor, software and hardware and is vulnerable to malware just like a laptop or desktop. In this case, size doesn’t matter. Whether the device records The Walking Dead or lets you stream House of Cards, attackers can overtake it. And the sooner manufacturers and consumers realize this, the less frequently we’ll see massive DDoS attacks carried out by IoT devices. And please stop saying the “Internet of Things.” It doesn’t exist. It’s the same thing as the Internet. A smart can opener is just a can opener with a computer attached to it.

Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.