Internet of Things (IoT) security: what is and what should never be   
       
   101 | Hacking | How-tos   
   Internet of Things (IoT) security: what is and what should never be   
       
   Posted: December 6, 2017 by Wendy Zamora   
       
   The Internet has penetrated seemingly all technological advances today,   
   resulting in Internet for ALL THE THINGS. What was once confined to a desktop   
   and a phone jack is now networked and connected in multiple devices, from home   
   heating and cooling systems like the Nest to AI companions such as Alexa. The   
   devices can pass information through the web to anywhere in the world-server   
   farmers, company databases, your own phone. (Exception: that one dead zone in   
   the corner of my living room. If the robots revolt, I'm huddling there.)   
       
   This collection of inter-networked devices is what marketing folks refer to as   
   the Internet of Things (IoT). You can't pass a REI vest-wearing Silicon Valley   
   executive these days without hearing about it. Why? Because the more we send   
   our devices online to do our bidding, the more businesses can monetize them.   
   Why buy a regular fridge when you can spend more on one that tells you when   
   you're running out of milk?   
       
   Internet of Things   
       
   Unfortunately (and I'm sure you saw this coming), the more devices we connect   
   to the Internet, the more we introduce the potential for cybercrime. Analyst   
   firm Gartner says that by 2020, there will be more than 26 billion connected   
   devices-excluding PCs, tablets, and smartphones. Barring an unforeseen Day   
   After Tomorrow-style global catastrophe, this technology is coming. So let's   
   talk about the inherent risks, shall we?   
   What's happening with IoT cybercrime today?   
       
    Both individuals and companies using IoT are vulnerable to breach. But how   
   vulnerable? Can criminals hack your toaster and get access to your entire   
   network? Can they penetrate virtual meetings and procure a company's   
   proprietary data? Can they spy on your kids, take control of your Jeep, or   
   brick critical medical devices?   
       
   So far, the reality has not been far from the hype. Two years ago, a smart   
   refrigerator was hacked and began sending pornographic spam while making ice   
   cubes. Baby monitors have been used to eavesdrop on and even speak to sleeping   
   (or likely not sleeping) children. In October 2016, thousands of security   
   cameras were hacked to create the largest-ever Distributed Denial of Service   
   (DDoS) attack against Dyn, a provider of critical Domain Name System (DNS)   
   services to companies like Twitter, Netflix, and CNN. And in March 2017,   
   Wikileaks disclosed that the CIA has tools for hacking IoT devices, such as   
   Samsung SmartTVs, to remotely record conversations in hotel or conference   
   rooms. How long before those are commandeered for nefarious purposes?   
       
   Privacy is also a concern with IoT devices. How much do you want KitchenAid to   
   know about your grocery-shopping habits? What if KitchenAid partners with   
   Amazon and starts advertising to you about which blueberries are on sale this   
   week? What if it automatically orders them for you?   
       
   At present, IoT attacks have been relatively scarce in frequency, likely owing   
   to the fact that there isn't yet huge market penetration for these devices. If   
   just as many homes had Cortanas as have PCs, we'd be seeing plenty more   
   action. With the rapid rise of IoT device popularity, it's only a matter of   
   time before cybercriminals focus their energy on taking advantage of the   
   myriad of security and privacy loopholes.   
   Security and privacy issues on the horizon   
       
   According to Forrester's 2018 predictions, IoT security gaps will only grow   
   wider. Researchers believe IoT will likely integrate with the public cloud,   
   introducing even more potential for attack through the accessing of,   
   processing, stealing, and leaking of personal, networked data. In addition,   
   more money-making IoT attacks are being explored, such as cryptocurrency   
   mining or ransomware attacks on point-of-sale machines, medical equipment, or   
   vehicles. Imagine being held up for ransom when trying to drive home from   
   work. "If you want us to start your car, you'll have to pay us $300."   
       
   It'll be like a real-life Monopoly game.   
       
   Privacy and data-sharing may become even more difficult to manage. For   
   example, how do you best protect children's data, which is highly regulated   
   and protected according to the Children's Online Privacy Protection Rule   
   (COPPA), if you're a maker of smart toys? There are rules about which   
   personally identifiable information can and cannot be captured and transmitted   
   for a reason-because that information can ultimately be intercepted.   
       
   Privacy concerns may also broaden to include how to protect personal data from   
   intelligence gathering by domestic and foreign state actors. According to the   
   Director of National Intelligence, Daniel Coats, in his May 2017 testimony at   
   a Senate Select Committee on Intelligence hearing: "In the future, state and   
   non-state actors will likely use IoT devices to support intelligence   
   operations or domestic security or to access or attack targeted computer   
   networks."   
       
   In a nutshell, this could all go far south-fast.   
   So why are IoT defenses so weak?   
       
   Seeing as IoT technology is a runaway train, never going back, it's important   
   to take a look at what makes these devices so vulnerable. From a technical,   
   infrastructure standpoint:   
       
       There's poor or non-existent security built into the device itself. Unlike   
   mobile phones, tablets, and desktop computers, little-to-no protections have   
   been created for these operating systems. Why? Building security into a device   
   can be costly, slow down development, and sometimes stand in the way of a   
   device functioning at its ideal speed and capacity.   
       The device is directly exposed to the web because of poor network   
   segmentation. It can act as a pivot to the internal network, opening up a   
   backdoor to let criminals in.   
       There's unneeded functionality left in based on generic, often   
   Linux-derivative hardware and software development processes. Translation:   
   Sometimes developers leave behind code or features developed in beta that are   
   no longer relevant. Tsk, tsk. Even my kid picks up his mess when he's done   
   playing. (No he doesn't. But HE SHOULD.)   
       Default credentials are often hard coded. That means you can plug in your   
   device and go, without ever creating a unique username and password. Guess how   
   often cyber scumbags type "1-2-3-4-5" and get the password right? (Even Dark   
   Helmet knew not to put this kind of password on his luggage, nevermind his   
   digital assistant.)   
       
   From a philosophical point of view, security has simply not been made an   
   imperative in the development of these devices. The swift march of progress   
   moves us along, and developers are now caught up in the tide. In order to   
   reverse course, they'll need to walk against the current and begin   
   implementing security features-not just quickly but thoroughly-in order to   
   fight off the incoming wave of attacks.   
   What are some solutions?   
       
   Everyone agrees this tech is happening. Many feel that's a good thing. But no   
   one seems to know enough or want enough to slow down and implement proper   
   security measures. Seems like we should be getting somewhere with IoT   
   security. Somehow we're neither here nor there. (Okay, enough quoting Soul   
   Asylum.)   
       
   Here's what we think needs to be done to tighten up IoT security.   
   Government intervention   
       
   In order for developers to take security more seriously, action from the   
   government might be required. Government officials can:   
       
       Work with the cybersecurity and intelligence communities to gather a   
   series of protocols that would make IoT devices safer for consumers and   
   businesses.   
       Develop a committee to review intelligence gathered and select and   
   prioritize protocols in order to craft regulations.   
       Get it passed into law. (Easy peasy lemon squeezy)   
       
   Developer action   
       
   Developers need to bake security into the product, rather than tacking it on   
   as an afterthought. They should:   
       
       Have a red team audit the devices prior to commercial release.   
       Force a credential change at the point of setup. (i.e., Devices will not   
   work unless the default credentials are modified.)   
       Require https if there's web access.   
       Remove unneeded functionality.   
       
   Thankfully, steps are already being taken, albeit slowly, in the right   
   direction. In August 2017, Congress introduced the Internet of Things   
   Cybersecurity Improvement Act, which seeks to require that any devices sold to   
   the US government be patchable, not have any known security vulnerabilities,   
   and allow users to change their default passwords. Note: sold to the US   
   government. They're not quite as concerned about the privacy and security of   
   us civies.   
       
   And perhaps in response to blowback from social and traditional media,   
   including one of our one posts on smart locks, Amazon is now previewing an IoT   
   security service.   
       
   So will cybersecurity makers pick up the slack? Vendors such as Verizon,   
   DigiCert, and Karamba Security have started working on solutions purpose-built   
   for securing IoT devices and networks. But there's a long way to go before   
   standards are established. In all likelihood, a watershed breach incident (or   
   several), will lead to more immediate action.   
   How to protect your IoT devices   
       
    What can regular consumers and businesses do to protect themselves in the   
   meantime? Here's a start:   
       
       Evaluate if the devices you are bringing into your network really need to   
   be smart. (Do you need a web-enabled toaster?) It's better to treat IoT tech   
   as hostile by default instead of inherently trusting it with all your personal   
   info-or allowing it access onto your network. Speaking of.   
       Segment your network. If you do want IoT devices in your home or business,   
   separate them from networks that contain sensitive information.   
       Change the default credentials. For the love of God, please come up with a   
   difficult password to crack. And then store it in a password manager and   
   forget about it.   
       
   The reason why IoT devices haven't already short-circuited the world is   
   because a lot of devices are built on different platforms, different operating   
   systems, and use different programming languages (most of them proprietary).   
   So developing malware attacks for every one of those devices is unrealistic.   
   If businesses want to make IoT a profitable model, security WILL increase out   
   of necessity. It's just a matter of when. Until then.gird your loins.   
       
       
   Regards,   
       
   Roger   
      
   --- DB 3.99 + PQUSA   
    * Origin: NCS BBS - Houma, LoUiSiAna (1:3828/7)