The Internet of Insecure Things

By Krista V. | Cyber Threat Intelligence Analyst, NJCCIC

The US Government is currently drafting a 'green paper' in preparation of presenting a formal policy on the Internet of Things (IoT), acknowledging the highly insecure technologies that have hit the market in recent years. Demonstrating the growth of this market, the research and consulting firm Gartner, Inc. forecasts that 6.4 billion connected devices will be in use worldwide in 2016, increasing to 20.8 billion by 2020. Although traditional attack vectors reign supreme, the cybersecurity firm Symantec observed an increase in the number of IoT attacks and proof-of-concept exploits in 2015 and, in many cases, the vulnerabilities were easily identified and exploited. Over the last year, IoT vulnerabilities made frequent headlines and included technologies used in transportation, healthcare, smart TVs, embedded devices, and smart home devices.

Research released in February from security provider Bitdefender revealed that four “Smart Home” products, including smart lighting devices and a WiFi audio receiver, were vulnerable to exploitation that could result in the compromise of network credentials. Research into two smart light bulbs revealed that turning the device on and off five times reset the device, allowing a new hotspot to be created. This opens up the door for victims to accidentally connect to a fake, malicious hotspot that could result in revealing their WiFi username and password - information attackers can use to access the network and other connected devices. A separate, smart lighting device sent data unencrypted, allowing an attacker to see the WiFi username and password in cleartext. A WiFi audio receiver, connected to home routers to stream music from different devices, can be remotely accessed using the device’s default username and password, admin and admin.

These examples are indicative of the lack of consideration IoT developers are dedicating to security. What is equally disturbing is the companies’ failure to address and patch these vulnerabilities in a timely manner. Bitdefender notified the vendors of the flaws in the fall of 2015 and, as of the release of the report in February, three out of the four had not been fixed.

Researchers like those at Bitdefender struggle to find the means to encourage IoT device manufacturers to integrate privacy and security into their designs. It is widely believed that poor IoT security will continue to present an attractive opportunity to criminals, who will search for opportunistic targets the same way burglars search for houses without alarms and other security features. In their annual Internet Security Threat Report, Symantec reported that criminals are already enlisting vulnerable IoT devices, such as CCTV cameras, to strengthen their botnet ranks and will likely use them to execute large-scale DDoS attacks in the future.

The US Department of Commerce’s ‘green paper”, drafted by the National Telecommunications and Information Administration (NTIA) and titled, “The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things”, will focus on three key areas: key issues that impact the deployment of IoT, IoT’s potential benefits and challenges, and possible roles for the federal government in helping to push IoT technologies. The notice can be found here, and the NTIA invites interested parties to submit comments or questions through email to iotrfc2016@ntia.doc.gov by May 23. These and other efforts related to IoT will hopefully foster more dialogue and continue to highlight the need for greater consideration to the security of each IoT device as the exponential growth of connected devices has become inevitable.

Though there are major gaps in IoT security, MarketResearchReports.biz provided some hopeful news. They predict, based on a recent study, that the IoT security market’s compound annual growth will reach nearly 55 percent over the next year. In the meantime, until the IoT security market catches up with IoT development, consumers can lower their risk by ensuring their WiFi network password are both long and complex, changing default passwords and all other passwords periodically, recognizing anomalous network behavior, and updating all software and devices as patches become available.