The Insidious IoT Threat: how do we face it?

In his latest blog post for cyber.uk, Chris Ratcliff tackles the threat posed by the Internet of Things and asks what we can do to meet the security challenges we face with more and more devices connecting to the internet.

How do you feel about being a pawn in someone else’s battle? It may sound odd, but there are currently people scanning the internet to try and take control of the gadgets and gizmos that you and I plug into our home internet connections. They’re not looking to steal our banking details or passwords or personal photos, they just want our data connections.

There have now been reported Distributed Denial of Service (DDoS) attacks peaking at 1.1Tbs of data, and this new attack vector is through the Internet of Things (IoT), that slightly odd term meaning smart TVs, light bulbs, security cameras, fridges and everything else that manufacturers think should be connected to the internet. When a vulnerable device is found, it is compromised and code uploaded to it so that when directed by a remote server, it will send junk traffic through a target.

You might say, why does that matter? The idea of scanning for a vulnerable host and compromising it has been around for as long as there have been computer networks. The problem with some IoT devices though is that they’re not designed for security, but rather built for ease of use by the end consumer, or even down to a cost. With some devices on razor thin profit margins too, ongoing support may be limited or non-existent.

And this is where we have come to with this new method for generating huge surges of data, tens or hundreds of thousands of devices from all over the world riddled with security holes, plugged into internet connections with little or no barrier between them and the outside world. How did we get in this mess?

There is an eternal conflict between security and usability. While it’s easy for security people to raise the concerns, and technically minded people to build a DIY solution, it’s easy to overlook just how many people consider IT, from laptops and phones to gadgets, to be something that should just work. In other cases, controls are actively turned off. Maybe it’s trying to get a child’s device to connect to the internet, maybe it’s to stop an annoying pop up, maybe it’s sheer bad luck. It comes down to a simple question in the mind of the consumer; “What do I have to do to be secure?”

Historically the answer has been ‘Get anti-virus’, then that was joined by ‘and a firewall’. You were now secure. You didn’t have to worry. You locked your doors at night, and you had a firewall on your PC. You were safe. Some may argue it was a false sense of security, but that was enough for many. Of course, many also forget or couldn’t be bothered to renew their anti-virus. They wouldn’t update their OS. They had no awareness of End of Life dates. Windows support? Who uses Windows support? It still runs, why bother upgrading it?

And herein lies the problem. Humans like knowing that things are taken care of. Threats of war? We have a military and intelligence services. Threats of violence or theft? There’s the police. Your ISP might offer a firewall or some sort of protection, so you don’t need to worry about online threats. Heck, the wi-fi access point your ISP provided even has Super Protection Features built in! Except that your new CCTV which lets you check on your house from anywhere doesn’t work over the Internet, but when you turn off that protection it does! It can’t be a problem though, they wouldn’t be allowed to sell them if they weren’t secure, right?

Even opening a web page is fraught with problems. If you’re ever tried locking down your web access, you’ll see a raft of connections made to a myriad of servers with each page request. Adverts, trackers, dynamic content, static content…

The answers, as much as there are, will seem obvious. Change passwords, update firmware, buy from reputable sources. Technology can be difficult though, as a single vendor’s product may be repackaged and sold under a myriad of different brands around the world.

As you’re reading a security blog, written by people who deal with security for a living, then the obvious solution may seem to be more security. Maybe we’ve reached a point where firewalling a PC is no longer enough, and we should use firewall appliances to shield our entire home network. We should set rules on that firewall to limit access to what’s required, and update its firmware and threat signatures frequently. We should inspect traffic coming from different devices and look for anomolies. Of course we also need to keep up to date ourselves with emerging trends and ensure that our defences are fit for purpose for those new threats. Then, when the manufacturer announces an End of Life date, we need to chuck our now obsolete firewalls in the bin and buy something newer, shiner, faster and supported.

Ok, that’s an infinitesimal fraction of the population protected, now the rest of the world.

In the UK, there is the Trading Standards Institute. Their role with local authorities is to ensure what is sold to the public is safe and legal. They run campaigns seizing counterfeit goods or potentially dangerous USB chargers. There’s also CE marking showing that a product meets safety standards set out for that product category. In the US, the Federal Trade Commission proudly states that it is ‘Protecting America’s Consumers’, and they were one of the bodies who charged VW with misleading consumers on emissions. Currently, as long as a device is safe with regards to power handling, materials used and RF emissions then it’s safe. I don’t see any of these bodies or standards looking at how vulnerable a device is.

What makes this especially challenging is that the harm to the individual is limited (though the frequency of these attacks could well increase) but the harm to the population is very significant. If this sounds like a need for herd immunity, then you’d be right, except there’s no vaccine that can be widely, and easily, administered.

I can see a future where Stuff That Connects To The Internet – which will probably be most electrical items and infrastructure – will need to meet a minimum standard to be legally sold in the UK. ISPs will need to be much more proactive in spotting unusual traffic patterns and both protecting the upstream data and informing their customers that something unusual is happening – although the customer service side of that is tricky. Future generations will also be much, much more familiar with everything that’s involved in living a technological life. They will understand the issues more instinctively and be more savvy about how they treat the internet.

However we need a short term solution. I’ve heard calls for the banning of IoT devices until this issue is resolved, but it leaves a huge legacy of devices sitting on networks which may be unpatchable, owned by people who don’t even realise they’re part of the problem and require action.

I always try and give my blogs something actionable in them, some great take away for people to use. Instead this time, I throw the floor open to you all. Is there a solution to this, or do we need to improve our DDoS protection?