With more and more devices becoming ‘smart’ and connected to the internet I thought it was time to write a consolidating piece on why the security community is making such a fuzz over these devices. Some of these concerns may be considered FUD, but being made aware of the possible abuse scenarios never hurts.
It is an expansion on my earlier Dutch post on “crazed fridges” with some additional comments for corporate environments.
I fully accept the notion that the ‘Internet of Things’ (IoT) is here to stay and personally use these devices and their services on a daily basis probably; sometimes even without my knowledge.
It is however important that the public understands that these devices are in fact small computers, directly or indirectly collect personal data or at least your behavior and most of the time use other remote internet services to operate.
“So what if my thermostat knows that I am on holiday”
It is very likely that not just your thermostat will know you are on holiday. If you are able to remotely control your thermostat there is a high chance the data of your thermostat is stored at the manufacturer of the device. Instead of using a physical sensor these devices use internet weather services to retrieve the outside temperature. For this service to operate they require (and store) your address. Having access to this kind of information could be beneficial to organized crime.
Like any other company these manufacturers will have adhere to the applicable privacy laws and properly protect any sensitive data they collect. But it has not been their core business so the likelihood that they make mistakes is quite conceivable.
“It’s just a light bulb, what could possibly go wrong?”
And right you are… a light bulb that switches on or changes colour unexpectedly would not necessarily make you jump out of your seat. But imagine yourself in the shoes of the technical administrator responsible for the “Symphony of Lights” in Hong Kong’s Victoria Harbour. The symphony is the world's largest permanent light and sound show which presents a fantastic view of Hong Kong’s water-front every night. Imagine the amount of cabling and power to make this performance a success. Now “fly” back to your living room and consider all IoT light bulbs being switched on at exactly the same time. Do you think our energy grid can cope with that?
“We have a firewall that keeps the bad guys out”
Firewalls enforce a kind of one-way street: only devices in the office are allowed to traverse and it will usually block all incoming connections from the outside.
The trick is that IoT devices tend to keep a continuous connection with a service on the internet. You could compare this to the mooring lines of a ship: they are there for good reasons, but can be used by vermin to gain access to your boat.
Just like these pests an attacker would need to gain access to the ‘mooring’ service first. It is therefore well worth reviewing both the device and its related service when introducing these type of devices in your corporate network.
“It’s not like my fridge will become all singing and dancing robot”
You are right but you may have heard of the term botnet: a collection of computers under the control of an attacker. The attacker is able to take control of these computers as they have a security flaw and are missing the related security update or patch. Instead of the light bulb in the example earlier, a flaw in the software of a fridge could be used to create a botnet. The incorporated hard- and software may be the same across models or even brands. Though your fridge will not suddenly start jumping around in your kitchen, an attacker could instruct these flawed fridges to ‘stampede’ towards a website or other internet connected service of their choosing. Deploying a fix to these type of devices may not have been considered during development causing these devices to be vulnerable for a long period time, especially as these devices tend to have a lifespan of 10+ years or more.
I do believe that the IoT will make our lives more pleasant and that we have just flipped the first page into a new era of computing. But it is still computing and the past has shown that writing secure software is very difficult either due to the fact that developers are pressured for time or simply can’t foresee how the system they have developed could be abused.
Several IoT consortiums have spawned over the years and several of them are taking security very serious. Let’s hope we all have learned our lesson.