The future of the internet and the way we use it is in great jeopardy, and most users don’t even realize it.
Threat Awareness – Developing Threats in the Internet Landscape with the Internet of Things (IoT)
Download the PDF Thought Piece – SAVANTURE IoT Threat Report Internet of Things
This isn’t some attempt to create Fear, Uncertainty, and Doubt (FUD), rather simply to have you think about the next 5 and 10 years in the context of threats, the Internet of Things (IoT), and the increase of systems connected to the World Wide Web. There are a number of stats relative to the number of IPs connected to the internet today and in the future, but let’s bring it down to a number that you can easily get your head around. Think back just 5 years ago and maybe you had a couple of connected devices such as your smart phone and a computer or two. Now think back 10 years and you probably had your one PC. Now, today you have what? Several PC’s, a smart phone, your home and business phone, a couple tablets, a couple TVs, a gaming console, DVD/Media player, router/wireless access point or two, and a printer? If you don’t already, in the next couple years, another TV or two, a home security system, smart home controller, fridge, and more … that’s without even getting creative. So within the last 10 years, you went from a surface presence on the internet of two IPs to now more than a dozen and within 5 more years it’s not hard to predict you will have 24 or more. Now the scary questions … how secure are any of those devices or applications? How easy is it for others to compromise those IPs and weaponize them?
Doug Howard first used the term “Weaponized IP” in presentations after the release of his book “Security 2020: Reduce Security Risks This Decade” published by Wiley in 2010. At that time, it meant primarily an IP address that had been compromised (i.e. malware, botnet, etc.) or was being used by a hacker. Pretty simple; something connected to an IP address and doing bad things. In general, a weaponized IP will always be an IP doing a bad thing, but to really appreciate the power of a weaponized IP, like all weapons, you must categorize it in a meaningful way. There are lots of ways to characterize threats in IT security and they all have merit, but rarely are they characterized conversationally. Rather, they provide extremely deep levels of classification and definitions (i.e. STIX) making it hard to understand conceptually. So, let’s do a high level categorization before we talk about the big threat. Let’s create three broad categories of why one would weaponize an IP:
•To anonymize activity (good or bad). Obviously if you’re doing something bad, you want to mask who you are as much as possible.
•To create a trusted or more trusted relationship by having the other party believe you are someone else. Most security postures provide less scrutiny to connections, systems assets (i.e. websites) and users with whom they have a relationship (i.e. employees, partners, customers, etc.)
•To establish scale, whether for distribution or to increase the number of IPs under control for attack.
From an attack vector perspective, any device with intelligence can be weaponized. In testing, we have been able to identify paths to compromise for home automation systems, IP enabled TVs,
media devices, and more. This doesn’t always mean a fully compromised machine, rather that you can do simple things like ping the device with a spoofed IP, access the web console, etc. In any of these scenarios you can quickly see how DDOS across large IoT ecosystems could impact many businesses -simultaneously.
So why then does an orders of magnitude increase in connected IoT intelligent devices constitute such a threat?
It’s because IoT devices aren’t built with security in mind. They are either vulnerable the day they are connected, or they will become vulnerable sometime during their useful life. IoT devices and applications are rarely keyed for security, their software will probably never be updated, and the authentication is typically weak. Also consider that each device connected to the internet has not a few applications, but dozens of applications that have their own threats. Many, if not most, of these IoT devices are not designed and hardened to operate safely in the open hostility of the Internet. If IoT devices were connected via dedicated, isolated IP networks this would be a lesser issue. But today’s Internet is a hostile environment and any connected intelligent device is a target to be exploited. A device becomes exploitable when it can be made to do things it was not designed to do by an input it was not designed to ever receive. And there’s the essence of the problem. Think of each workstation, laptop, tablet or smartphone you own today. Think of the number of updates, “patch Tuesdays,” new software releases, etc. that you need to apply to keep you updated and keep a very basic level of security in place. Each of these computing devices you currently own was designed and tested to operate on the Internet and was generally safe the day it was released for sale. Thereafter, probably within days, new vulnerabilities were discovered and patches were created that you need to apply and those patches will continue throughout the life of the device.
Some Cloud providers provide an umbrella of security by requiring IoT devices to use credentials, certificates, and encryption methods in order to connect to the other devices on the cloud. IoT gateway approach also adds some layer of security as well and is better than nothing, but are rarely deployed with security being top of mind. Like many architectures, a single exploit on a device or gateway can compromise all devices.
Clearly these devices are rarely protected by embedded security controls (blocking, detection, patching, etc) and rarely use any key pair authentication approaches. And those are just some of the IP connected intelligent devices you know about. Did you ever make a purchase from a vending machine or gas pump with your credit card? How hardened are those devices and are they being patched to keep them safe from exploitation? The industry’s ability to build smart devices and connect them to the internet has happened faster than the industry’s ability to protect those intelligence devices from exploitation. Now that’s the immediate problem, but many don’t understand the implications of a compromised IoT device. Consider your privacy and safety for a second. Imagine if someone compromised some of the sample IoT systems below:
•Home automation system –understanding what you have programmed may provide insight into your comings and goings (e.g., automatic light settings).
•Refrigerator –who cares if someone steals your grocery list? Some, maybe with allergies, where you shop (i.e. integrated coupons), but the main concern is identifying when you are and aren’t home. Imagine your normal use of the fridge: you get up, make some coffee, maybe with milk or get juice. When you work from home, you have one pattern. When you work from an office, another. With this basic info of open/close, an attacker now has a pattern of your comings and goings. If you don’t open the fridge for 24 hours, they now have an indicator you’re on vacation.
•Home Alarm System –well, this one is pretty obvious. The attacker could disable the alarm, stop outgoing alerts, etc.
•Video Surveillance or kid monitoring –hmm, you can imagine …
•Future IPTVs will likely have cameras built in. Think of many game boxes today.
•IP router/wireless compromise –An attacker can now redirect your traffic, sniff it, point you to a spoofed website (i.e. bank, credit card, mail)
And the list goes on. Not only is this a big business problem, but it’s a personal issue as well. A better way to put it is that devices are being added to the internet without consideration for security, faster than they should. Encryption, authentication, access control, privilege management, file system change management, and file integrity are just some of the attack mechanisms lacking on intelligent devices and applications today.
There are ways to protect these devices and application, but some basic security needs to be put in place to help improve the overall hygiene of the internet.