It is common knowledge that the internet of things is shockingly insecure. The possibility of hackers leveraging the connectedness of your washing machine to wreak havoc on your home security has left the realm of science fiction and become a frightening new reality.
The fact that just about everything is getting plugged into the internet means this will only get worse, even as researchers estimate that the number of active connected devices will surpass 40 billion by 2020. The well-documented vulnerabilities found on a wide range of IoT devices have put the spotlight on the lack of IoT security. What can consumers do to protect themselves in the interim while security and other issues are sorted out?
Talos, Cisco’s security research organization formed three years ago after the acquisition of Sourcefire, is one of the largest security organizations in the world. It has 250 members and a vast array of opt-in telemetry from customers, which gives them an unparralled view of the threat landscape, Craig Williams, Sr. Technical Leader at Talos told ITWatchIT in an interview.
Cisco Talos’ Craig Williams shares simple steps consumers can take to make IoT devices safer
IoT: More Connectivity – Less Security
IoT devices, in a sense, make life easier because of the convenience, said Williams. The downside, and the part which a lot of people fail to connect, is that the word “smart” before a device means it is effectively a computer. More often than not, it is a little Linux box, running a server software. The problem with having these devices in your house is that not many people have received a security advisory from a manufacturer. I have asked the audience this question for about a year now at conferences on IoT security, and I have never seen a single person raise their hand.
From an industry standpoint, the reality is that manufacturers of IoT devices in general either do not issue security advisories at all, or as often as they need to. They don’t patch software very quickly. In one of our recent researches, we analyzed Trane ComfortLink II thermostat software made by Trane, and it turned out the thermostat had shipped with the SSH protocol turned on by default. SSH allows servers and clients to connect to each other over the internet. This begs the question of why SSH would be turned on for a thermostat. While I do not have the answer to that, I do know the simple solution would be to turn it off.
Additionally, they had accidentally hardcoded a username and password into the software, so you already have two clear design choice errors. Also, they had accidentally incorporated a buffer overflow into a different protocol. Almost immediately, you have three reasonably severe security issues in this IoT device that should have easily been caught before shipping to consumers.
The second problem with IoT devices, other than the lack of patching, is that security is usually an afterthought. Anytime you try to bolt on security, it won’t work as well as when you plan for it out of the box.
Whenever Cisco builds a product, we have a plan called the Cisco Network Security Baseline. Anytime we create server software, we make sure it adheres to our security baseline. I don’t see things like that being practiced in the IoT industry, and this is highly concerning. In our Network Security Baseline, we have rules that instruct the software not to hardcode username or password – simple things like that that I don’t see being practiced in the IoT world.
Suspect IoT Device Redflags
If you are trying to purchase an IoT device, such as a smart thermostat, and it is the exact same price as an analog thermostat, that should be a red alert. It means there’s no money reserved to pay for a development team to release new software updates for that thermostat when the CORS (Cross-Origin Resource Sharing) vulnerabilities is released. We don’t see sever CORS vulnerabilities every year, but we do see them every few years, and when you see a smart device that’s priced the same as the one that doesn’t need software updates, it is a cause for concern.
Consumers should always look for trusted brands, and never buy an IoT device from companies they have never heard of. Typically, they should purchase these devices from companies they know have been around for some time. The problem with IoT devices is that they are not like cellphones. If I’m getting an IoT refrigerator, or washer and dryer – I plan on having those devices for at least, five to twenty years. Consequently, I need to ensure when I’m paying for it, that the manufacturer is going to be around for that long, and will still be supporting that device.
That really comes down to brand trust, especially since we there are no laws governing that space right now.
Who to Hold Accountable When IoT devices Cause Consumers Harm
It is true that there are IoT devices that have security issues. For instance medical devices and thermostats may have security issues that may not be patched. The reality is that none of those devices should be accessible from the internet, to begin with. Those devices should go through basic security firewalls and shouldn’t be accessing the internet directly. To even go one step further, they should be operating through firewalls that have the proper access controls in place.
When you think about how an IoT device functions, an IoT device should only be talking to to the appropriate data center, such as Google data center. As a user, it would be my responsibility to set up things like that. Things like medical devices should never be exposed to the internet. For instance, door locks have been around for thousands of years, and even today, I’ve never encountered an unpickable lock. There really is no magic bullet – you are not going to have an unhackable device, so you must take precautions.
What you ought to do is implement a layered defense. Secure the device as much as you can, secure the network as much as you can, then restrict access to only those who need to talk to the device.
Privacy is an Issue
Moat companies don’t want to keep data that they do not find useful because it costs money to store data. For instance, my thermostat doesn’t know my name or where I live. The only information there is temperature and time settings, which is a small amount of data. On the other hand, a medical device will have potentially sensitive information, and that information should be encrypted both on the device and in the cloud – if it has to connect to the cloud.
When it comes to data protection best practices, it makes sense to keep that data in as few secure locations as you can. As a consumer, if you don’t set up a device properly, by doing such things as changing default passwords and usernames, then you’re asking for trouble, especially when it’s connected to the internet. This is not specific to IoT devices alone, but applies to just about any device that is not set up properly.
That is an important aspect that a lot of people miss. Every security issue that affects IoT devices affects everyday servers. At the end of the day, an IoT device is a small server that simply doesn’t look like one.
Ransomware is relatively straightforward – it is basically capturing your data and preventing you from accessing it. If you have a backup of your data, you can simply restore it. When bitcoin hit the market, it gave hackers an untraceable way to exchange currency. It enabled the sale of illegal goods, the development of malware across countries, with no financial ties, and really enabled criminals to exchange money online in a way that is very difficult for law enforcement to investigate or penalize.
Talos is built out of the existing Cisco research team, the IronPort team and the Sourcefire Vulnerability Research Team. Basically, Talos produces every single update for Cisco security products. If Cisco makes it and it blocks malware, then Talos is the one producing the intelligence that allows it to block the malware. We release some of that for free with things like our Snort community rules, and all of our malware write-ups. At the end of the day, the important thing is stopping the bad guys, and we release that data so that anyone, even if they are not a Cisco customer, can block that malware.
Speaker: Craig Williams
Craig Williams is the Sr. Technical Leader / Global Outreach Manager at Talos. His research over the past decade has included running the Cisco malware lab and trying to outwit the very security products he has helped Cisco to design. New areas of network protection, including the utilization of new evasion techniques and threats, have emerged directly from Mr. Williams’ work. Mr. Williams is also working to extend Cisco’s threat defense technologies to a wider range of networking products, broadening the controls and countermeasures that are utilized by existing technologies, and extending coverage across more protocols. His expertise includes designing IPS/IDS signatures, penetration testing, reverse engineering, vulnerability research, botnets, and attack obfuscation.
The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes and protects against both known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop. Talos is the primary team that contributes threat information to the Cisco Collective Security Intelligence (CSI) ecosystem. Cisco CSI is shared across multiple security solutions and provides industry-leading security protections and efficacy.