Internet of things security: progress, hype and headache

The Internet of Things is a fashionable term like cloud computing. Similarly, it does not make much sense from a technical point of view: it is a brand under which a million different technologies are hidden and even more use options. The reason for writing this text was the discussion of IoT news in my digests : in different cases I received fair and not very reproaches. For example, can home routers be considered “Internet things”, or does IoT extend to manufacturing and other industrial high-tech.

In order to have fewer such questions in the future, today I will try to formulate a more or less clear definition of IoT, based not on the production or advertising of relevant devices and systems, but rather on the need to protect them. In addition, I will give a couple of links to interesting research studies of Laboratories on the topic, I will try to assess the security situation of the Internet of Things at the moment, and even make an attempt to look into the future.

The source of information about the miracle devices in this article is Twitter Internet of Shit - its author has a year of brave work to expose the attempts of different manufacturers to direct the development of the things of the Internet in the direction of total failure. However, it is better to take this channel as a modern techno-screening: as long as we laugh at a 100,500 kettle with Facebook inside, the real IoT comes to us unnoticed, and without demand. This is the real problem.

Something went wrong in a smart house

Perhaps the main news in the context of the “Internet of Things” this year was the shutdown of the hub for the Revolv smart home. Developed by the same-name startup, the device went on sale in 2013. Already in 2014, sales were discontinued after the vendor bought Nest, which is part of the conglomerate of Alphabet google companies. The devices sold were supported by the vendor, but on May 15 of this year, by decision of Nest, they literally turned into a pumpkin.
')

The relatively few owners of Revolv Smart Home Solution were furious, and this is putting it mildly. Media attention was drawn both by the flowery curses in the direction of a fashionable vendor of smart solutions, and by the general problems of any smart devices. The point is not even that the owners of the device have lost their support for the vendor and updates. Devices just stopped working. At all. Quite since they turned off the obligatory connection with the infrastructure. Instead, the vendor offered to fully return the money spent on the device ($ 300), but compared to the real price of the entire smart home system, in which the main control device suddenly stopped working, this is a penny.

Meanwhile, the reason for such a failure was precisely the correct desire of developers to solve the problem with a variety of different technologies on which smart devices are built. The device itself, on the one hand, connected to the Internet via WiFi, on the other hand, it interacted with the zoo of wireless devices (light bulbs, smart switches, etc.) using various wireless protocols. At the level of iron, Revolv tried to envisage the support of all radio communication standards, and the addition of support for specific devices was made regularly through the cloud, and interaction with the control application on the owner's smartphone was also provided there.

This favorably distinguished this model from competitors who worked with a hard-coded list of devices. In an ideal world, this guaranteed the possibility of expanding a smart home with the help of new devices, even if previously supported ones disappeared from sale. Alas, the developers did not anticipate the possibility of disabling their own infrastructure. And in vain. It reminds me a lot of the story of disconnecting Maemo support servers — a successful, but not surviving, business turbulence Nokia mobile platform. In that case, the truth was all right: Nokia N900 enthusiasts, earlier and later devices, raised funds and moved the update and distribution servers to an independent platform .

Attempts to define terms

This whole story is directly related to security: the low security of Internet of Things devices is caused, firstly, by their permanent inclusion in the network, secondly, by the difficulties of vendors with updating software and supporting the infrastructure for a growing fleet of devices. There are plenty of examples of the latter, for example, a discussion of how the Google API update breaks down the work of a smart refrigerator. Here, the place is still to try to formulate what the Internet of things is, in the context of security.

This is a set of digital devices that:

- Exchange data over a local wireless network and / or via the Internet.
- They work autonomously, often around the clock, without regular interaction with a person (or even without one).

It seems to me that further clarifications are redundant and unnecessary (I expect that this moment will be debatable - well, well, in the commentary). The photo frame, which for some reason is permanently connected to the network via WiFi, is the Internet of Things. Smart thermostat and kettle - this is it. TV with skype - yes. Scales with twitter, add them in friends. Wireless water meters. Solar Controllers. Candle with auto ignition via smartphone.


Seriously, a candle !

In fact, here you need to add a lot of pieces that represent not the future, but the long-established present: ATMs, payment terminals, ticket terminals, ticket printers for the electronic queue. And then everywhere: CCTV cameras, home and industrial, high-speed cameras, controllers of urban lighting and traffic lights. Here our experts give examples of the vulnerability of almost all devices of this type. Yes, there is little in common between functionality between the approach camera and the smart kettle. From the point of view of security, there is no difference, since two conditions are fulfilled: autonomy and accessibility from the Internet, directly or into squatting through a complex, but cracking mechanism.

IoT security

The security assessment of the Internet of Things (however, like any other class of devices or technologies) is divided into two areas: theoretical (research of theoretical vulnerability) and practical (analysis of real attacks). The example of the theory is given above. Here is another technical analysis of various devices, with such terrible speaking examples:

CONFIG _ ******* _ ROOT_PASSWORD = "sVGhNBRNyE57"
CONFIG _ ******* _ ROOT_PASSWORD = "GFg7n0MfELfL"

Typical (already closed) vulnerability in an IP camera.

There are also examples for more specialized devices: here is an analysis of the safety of motion sensors on the road. Here you can add the last week’s closed vulnerability in Tesla supercars (hacking via WiFi), and many other examples.


With practice all the more interesting. Nobody breaks Tesla and kettles so far because of their small number: until a critical mass of devices has been gathered that opens inevitable interest from cybercriminals. Track and analyze point attacks, even if they occur, it is extremely difficult for ordinary computers, but here even more so. Nevertheless, there are examples, but they relate to devices that not everyone agrees to classify as IoT - these are routers, IP webcams and smart set-top boxes. Again, in the proposed model of assigning devices to IoT, from the point of view of security, these devices, which have been available for many years, legitimately occupy an honorable place.

So, these familiar and understandable devices clearly demonstrate the security situation in IoT as a whole. Default passwords, externally accessible management interfaces with typical web vulnerabilities, not to mention some examples of holes that allow to execute arbitrary code. The result is clear: dozens or even hundreds of thousands of devices permanently included in the network and not managed by the owners of the devices are combined into a botnet used for DDoS attacks and other criminal activities, not to mention stealing private information. At the end of last week, one of the largest DDoS attacks occurred (the goal was the blog of expert Brian Krebs) - 665 gigabits per second. If the preliminary assessment of Akamai (which was never able to repel the attack) is confirmed, it will be at the same time the largest attack by the botnet of the IoT devices.

Bright Gloomy Inevitable Future

The attack on polterabit is already serious, but in the context of the development of the “Internet of things” these are trifles. The development of IoT assumes that network devices operating autonomously will be counted not in the hundreds of thousands but in the tens of billions. If by this time new methods of their protection are not introduced (obviously, better than in the examples of the present time) and methods of closing vulnerabilities (respectively, the issue of updating the software will be resolved), we will have problems. And, unlike in the present, when we can buy an Internet fridge, but we can not buy it , there will be no choice. To assess the scale, I’ll bring this news about a contract to install smart gas and electricity meters - 53 million devices in only one country (and these are plans already three years ago).


It would seem, what could go wrong with a computer with glasses, which sends everything to Snapchat?

Vulnerability, and, even worse, the inability to update billions of devices will lead to a host of problems that can affect both unsuspecting users and affect the performance of critical infrastructure. The argument that in industrial systems another IoT does not seem reliable to me: firstly, the growth in production volumes will lead to consumerization, and secondly, the criteria for autonomous operation and network connectivity are preserved in this case, even now.

What approaches can be used for protection? An example of a device Revolv hints that the market will sooner or later come to two or three main platforms on which all IoT systems will be built, and the chaos will be less. Most likely it will be, as it already happened with the number of platforms for smartphones at the end of zero or PC operating systems in the 90s of the last century. And if not? The concept of security is unlikely to be built on the basis of market laws.

I will assume that the current concept of “no one on the Internet knows that you are a coffee maker” should change. There must be a different attitude to the Internet of things than to a desktop and a smartphone, which is not always fulfilled now. Separate, secure communication channels, their own reliable authorization methods, and most importantly - the use of technologies that maximize the likelihood of someone else's code execution. It is possible that these are not Internet things that will have to be protected from villains, but it will be easier to protect smartphones and computers from the Internet of things - there the approaches are clearer. Finally, since there are no 100% invulnerable complex systems, the problem of quickly and reliably updating billions of devices will still have to be solved.

Perhaps the solution to this issue will be at the junction of the most modern technologies. Programming the correct IoT may not be the way it does with traditional computers right now. Perhaps we should look for a different approach, not trying to drag the man-made legacy of the twentieth century into the 21st century. In general, it will still be a little problem.

Disclaimer: This column is based on real events, but still reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.