The IoT Sky is Falling: How Being Connected Makes Us Insecure
The first chunk of actual sky recently slammed into the ground with a resounding thud.
The security community has been actively telling the world that the Internet of Things (IoT) is ripe for compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes of getting all of the promised gee-whiz technologies without the sky actually falling.
Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as their research results are, they took things a step farther by building four attacks based on their research. These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to open other door locks, and disabling detectors and alarms.
The device at the center of the research is the Samsung SmartThings platform, which is a series of products and associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices. There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan switches to home weather systems. The community offers applications for the devices as well as mobile and Web apps to control the devices connected to the platform.
It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.
This research shows what the security industry has known for a while and simply proves it to everyone else.
When people see a television commercial of a couple operating their front door lock from a mobile app on their phone, most see convenience and safety. However, those in the security community immediately see vulnerabilities and exploits. The report validates our apprehension.
The research notes that the majority of the vulnerabilities exist in the software of either the device or the software that controls the devices. This is exactly what the security community has feared. This pattern is repeating every time new technology is introduced without proper consideration for the basics of security. It happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the Cloud emerged, and now we see proof that it is happening again with IoT.
When vulnerabilities are discovered in business applications, there are changes made to remediate the exploits and patches, or new releases are distributed to update the software. There are people in the business whose job it is to ensure that the devices in the business are kept updated to mitigate potential attacks.
In the IoT scenario, there may be software that isn’t programmed to protect against new and emerging threats. In order to manufacture devices at a competitive price point, manufacturers may not enable that capability (hardware/software) to update the software on the device. This leaves the consumer with the decision to scrap the vulnerable device or hope against an intrusion.
If you knew a mechanical lock on your front door was no longer functionally capable of securing the door, would you continue to use it to keep out lurking thieves? My guess is no. Because you can see and feel the lock, you would likely have evidence of its failure and want to replace it. Now what about software? How do you know if the software has a vulnerability or if that vulnerability has been exploited?
While you consider those questions, one thing to consider is that the research did not touch on the privacy issues involved. For example, the amount of data that’s communicated back to a central database. This is data about you and your family. Your habits, your comings and goings. Data that can easily create a picture of who is home at any given time on any given day. It knows if you leave your door unlocked. It knows if your burglar alarm is on—or not.
This shouldn’t be ignored. Data is being collected—how else does a smart thermostat know you’re home—and you have to ask, “Where does the data go and who is protecting it?”
The best part about this chunk of sky that fell to the ground was the research was conducted by university researchers. Consider the research information carefully and become an intelligent consumer of IoT products and services. IoT promises a lot of convenience, but there is a price to be paid if you don’t involve the best connected device ever created—your brain.