Why IoT security is still BS

The Internet of Things (IoT) is still insecure as ever. I wrote about this topic last January and while I didn’t expect device makers to make a security a priority so quickly, I was hopefully that some incremental change would occur.

Turns out, I was too optimistic. A technician recently stopped by my apartment to set up cable and Internet service. The cable modem was taking awhile to come online, which the technician attributed to “security updates.” After the technician left, I decided to test the cable box’s security and popped a root shell on in five minutes.

The reason is pretty simple: companies still don’t care about security, especially if they’re producing consumer goods. Their focus is on developing connected water bottles, kettles, socks or other smart trinkets and getting them to the market as quickly as possible. Security is an afterthought, if it even comes up at all.

Software development trumps security

Let’s say you purchase a router or a modem. The manufacturer isn’t responsible for getting a customer to update their device with the latest firmware. And that’s assuming that the manufacturer is consistently issuing firmware upgrades, which usually isn’t the case. I’d argue that many companies are more interested in getting you to buy a new piece of hardware instead of getting you to download the latest firmware update.

Software development takes precedent, not security, in the development of IoT products. This results in people who aren’t completely familiar with how to harden a device from attackers handling security. While this process may lead to products reaching consumers faster, it does very little to keep them safe from hacks. Also, since the profit margins associated with IoT devices is so slim, companies typically don’t invest in security since they’re looking to keep costs down and maximize profits. That smart water bottle, for example, will sell for $5 and cost $3 or $4 to make.

Making the state of IoT security even worse is that many IoT device makers use the same software development kit (SDK). Now if the company that developed the SDK put out a product riddled with bugs, all the devices using that SDK are vulnerable to those flaws. If the software is the same, the exploit will work, regardless of the device.

Now there are some companies that do care about security. These organizations usually sell more than just the device. They may offer storage services, app stores and other services in addition to a piece of hardware. There’s an incentive to include security in the product’s design since they’re trying to sell you and keep you using several of their products.

Users also need to take some of the blame for shoddy IoT security. Many people never change the default passwords on their devices, giving attackers an easy way to hack into their lives. And, going back to the firmware issue, people aren’t proactive enough about keeping their devices up to date with the latest software releases.

Major software flaws haven't improved IoT security

Unfortunately, major incidents involving network-enabled devices haven’t motivated vendors to incorporate security into their products from the start. Remember when flaws in the UPnP  protocol exposed thousands of network-enabled devices, including TVs, printers and routers, to remote attacks? That incident was nearly four years ago. Has security improved then? In a word: no. The modem vulnerability I talked about earlier can be exploited from outside the network so all modems running that codebase are susceptible to that flaw. Someone just needs to put in 20 minutes worth of work, write 50 to 70 lines of Python code and they’re in.

And here’s more proof. More than 1 million Web-connected DVRs and video cameras have been infected with malware that allows attackers to use the devices for DDoS attacks, according to research released this week. Incidents like these show why IoT security is still BS.

Here’s how companies can make their IoT products secure:

  • Decide that security is a priority and invest in it, especially around hiring (which leads me to the point below).
  • Hire embedded security experts and penetration testers to check the security of your devices.
  • Don’t forget about updating and supporting older products. Consumers still use them and until a flaw is patched, an exploit will still work. Code doesn’t age.
  • Review your code and review it again to make sure there aren’t any flaws. Be as meticulous as possible when you write the product’s software. C is a powerful programming language and shouldn’t be treated like a scripting language.
  • Educate consumers about device security and include, easy-to-understand directions on how they can keep their device secure.
Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.