“There will be more than 24 billion things connected to the Internet by the year 2020,” said Linda Grindstaff, VP of Content Operations in McAfee’s Office of the CTO, who keynoted at the recent Internet of Things Device Security Summit held in Santa Clara, California. That’s more than four connected devices per person on the planet. “There will be more than 80 connected devices in a household by 2020,” she said, noting that, “all of these devices have security vulnerabilities.”
“60% of consumers are concerned about security and don’t know what to do,” concluded Grindstaff.
Then she discussed an example:
McAfee Labs’ Advanced Threat Research team uncovered a flaw in Belkin’s Wemo Insight Smart Plug. Basically, the Wemo is an IoT smart AC switch, and it has a buffer overflow bug—a very common software problem and one that’s familiar to any Microsoft Windows user.
Yes, so what? Here’s what. It’s possible to hack the WiFi-connected Wemo switch, but that’s not the real problem. Using standard Internet exploits, hackers can turn the Belkin Wemo into a network gateway and use it to gain access to your home’s entire Wi-Fi network. The Wemo can be used to access all of the other less-than-secure IoT devices on your home Wi-Fi network.
For example, your smart TV.
So what, you say. Who cares if a hacker can change the channel on my TV? You probably don’t mind if a remote hacker channel surfs at your expense. After all, they can’t watch the video. But would you mind if they activated your TV’s microphone and listened in on your conversations? How about if hackers used the Belkin Smart Plug to connect to the babycam in your nursery or the Webcam in your teenage daughter’s bedroom? Got the picture?
Let’s make a quick time jump to one of the subsequent speakers at the IoT Device Security Summit, Chowdary Yanamadala from Arm, who discussed two more IoT and near-IoT exploits. The first exploit, the famous Mirai botnet caper, nearly shut down Internet service in the northeastern US in October, 2016 through a DDoS (distributed denial of service) attack. The Mirai malware turns networked devices running Linux into remotely controlled “bots” by identifying vulnerable IoT devices and breaking into them using a table of common factory default usernames and passwords. Mirai finds vulnerable devices, logs into them, and infects them with malware.
In this particular example, the infected IoT hosts included printers, IP cameras, residential gateways, and baby monitors. All of these devices were infected with Mirai malware. The resulting DDoS attack shut down more than 70 big, globally known Web sites including Airbnb, Amazon, CNN, Comcast, DirectTV, github, HBO, Netflix, Starbucks, Twitter, Verizon, and Yelp. (OK, so who cares about Yelp?)
In all, the estimated economic damage topped $100 million.
The Great Paris Streetlight Robbery
You don’t even need the Internet to cause havoc using IoT security exploits, said Yanamadala. His second example involved the ZigBee-connected smart streetlights of Paris (France, not Kentucky or Las Vegas). This exploit took advantage of a bug in the ZigBee chip used in the streetlights. Several bugs, in fact.
The first bug was in the chip’s proximity detector. Normally, the chip is supposed to ignore factory-reset commands from transmitters farther away than 45cm. It’s tough to get that close to a streetlight on a tall pole (but you can do that with a ZigBee-equipped hacking drone, for example.) However, the ZigBee chips used in the streetlights allowed such commands from transmitters as far away as 400m. That’s nearly two orders of magnitude larger than spec. No drones needed.
Next, the hackers (actually researchers) were able to use the global security key that’s used to encrypt and authenticate new firmware for this chip, which was obtained through a side-channel attack that monitored the chip’s current consumption. This key has now been widely published, and that same key is used in every single copy of this particular ZigBee chip. So once the key had been cracked, every such chip was open to hacking.
Using these two exploits, the team could infect a random selection of Paris streetlights by forcing an OTA (over-the-air) firmware update that included code to spread the infection from one connected streetlight to the next. A chain reaction over the entire mesh network of streetlights was then possible.
And now, back to Grindstaff’s keynote.
The IoT security problem is much bigger than simply taking over an IoT device or even an IoT device class. The problem is that these devices can be hacked to broadcast almost any sort of message over the Internet, because IoT devices are connected to the Internet. That’s what put the “I” in IoT.
As the famous New Yorker cartoon said way, way back in 1993: “On the Internet, nobody knows you’re a dog.”
So what can an IoT hack do? Here’s what:
Ransomware: Once a hack gets into the home network of a corporate CEO (or other executive), the hacker may be able to use the executive’s access of a corporate network, using the hacked home network as a gateway, to cause all kinds of mischief. Lucrative mischief.
Life and Death: Grindstaff cited an example where she watched over the shoulder of one of her colleagues at McAfee as he hacked into an X-ray machine at a hospital and pulled up images of a patient’s leg. Don’t think just about X-ray machines. Think about heart-rate monitors, medical infusion pumps, and ventilators. People can die from this sort of IoT hacking. Nearly all medical equipment is going IoT as fast as possible to provide the electronic monitoring needed to stretch human medical staffs across more and more patients. This potential problem grows daily.
Fake Ads: The recent US political campaign season underscored the effects of political advertising. Hacked IoT devices can give covert access to targeted users, making the delivery of surreptitious, fake ads possible.
Social Media Scams: Don’t care about politics? Think phishing for profit instead. Same mechanism, different motive. McAffee has long known that the user is the weakest link in the security chain. Pushing phishing exploits through social media using unexpected security holes made possible by poorly secured IoT devices opens a vast new playing field for phishing scams.
Industrial Control Havoc: Once you understand the IoT security hacking threat, it takes little imagination to think of the havoc to be caused by commandeering pumps, valves, motors, chemical plants, refineries, and nuclear power plants—just to name a few.
So the threat’s real. What’s to be done?
Grindstaff had some specific recommendations for fixing the IoT security problems:
Embed security into the architecture, interfaces, and product design of IoT devices. You cannot effectively add security as an afterthought. Establish and test your basic security assumptions. Ask:
- How do you protect data?
- How do you compartmentalize data and code so that data cannot behave like code? So that code cannot be modified like data?
- How do you authenticate users? (Two-factor authentication is best.)
- How can you get IoT devices to work together collectively as a secure system/network?
- How do you secure the IoT device, its network, and the cloud to which it’s connected in a chain of trust?
- How can you secure legacy devices that don’t have security or have security added as an afterthought?
Do not allow default passwords, for reasons that should be obvious from the discussions above. (Want to see how easy it is to get default passwords? Try www.shodan.io. It will give you plenty of real, IoT default passwords in current use.)
Require patches and upgrades to be encrypted and signed.
Allow only approved software to run on IoT devices.
Authenticate owners and allow only authenticated owners to set limits on data and privacy policies.
Automatically install signed security updates during IoT device provisioning.
Provide advanced configuration and reset capabilities. If an IoT device or its network detects an intrusion attempt, initiate a factory reset to block the hack from the system.
My opinion is this: Grindstaff’s advice is fine, as far as it goes, but it requires all of us to become network engineers and to memorize hundreds of new IoT passwords. I’m pretty sure that it’s not going to work the way Grindstaff described things. Allow me to provide one personal example as positive proof:
I have a friend living in my condo. He installed a Nest IoT thermostat a while ago so that he wouldn’t need to get up all the time to change the temperature setting on thermostat. No, he’s not lazy. He doesn’t walk well, so getting up is a real problem for him. Shortly after the Nest thermostat was installed, it turned the heating system on full blast in the middle of summer. My friend could not shut the system down and was in danger of dehydrating from the heat when he called me.
After all, I’m an electrical engineer with more than a passing familiarity with things Internet. How hard could it be?
I went down to his condo to help.
The Nest thermostat’s built-in user interface was completely unresponsive. Clearly, I needed to access it over its Wi-Fi connection through the app on my neighbor’s cellphone, so the first thing I needed was the password. After all, you can’t let just anyone control an IoT thermostat.
I didn’t know the password, of course, because I hadn’t installed the thermostat. My neighbor, in his agitated, partially dehydrated state couldn’t remember the thermostat’s password either. In this case, the emergency shutoff was the furnace’s circuit breaker. The next step was to call the person who’d installed the thermostat. He had the password and fixed the thermostat a day later.
That’s just an example of one household IoT device. Maybe it’s an extreme example, but it really did happen to me (actually to my neighbor).
Now recall Grindstaff’s prediction at the beginning of her keynote:
“There will be more than 80 connected devices in a household by 2020.”
Think of my neighbor’s experience times 80. A tsunami of IoT security disaster awaits us all.
Need help? (Hint: Yes, you do.) Try McAfee’s Solution Brief: “Secure IoT Devices to Protect Against Attacks.”