With the holiday season around the corner, families are about to introduce a new raft of high-tech, Internet-connected gadgets into their homes worldwide. At the same time, enterprises are increasingly deploying automated building control systems and lighting technologies. Local governments are also getting in on the act as the move toward smart cities gathers steam. These advancements represent different aspects of the Internet of Things, and are increasingly touching the every-day life of people around the world.
When many people think about the Internet of Things, they focus on… well… the things: a smart light bulb, a networked HVAC system, a smart parking lot—those kinds of things. To date, much of the security analysis and penetration testing of IoT technologies have focused on finding and alleviating vulnerabilities in the things themselves. But IoT also includes networking, hubs, servers, one or more clouds, and a multitude of protocols.
All these items with their complex interconnections just haven’t gotten the security scrutiny they need. With research focused on hacking individual light bulbs, cameras, or HVAC systems, we’re missing out on security issues that could impact large numbers of devices. While turning on or off one light bulb by hacking it is rather interesting, turning off or surging power to millions of bulbs is much more impactful. Recently, we’ve seen the release of worms that spread through IoT devices harnessing their networking capabilities to launch denial of service floods. With hundreds of millions of smart things coming online, the security industry really needs to step up our game in ensuring the security of the vast ecosystems that comprise the modern Internet of Things.
From a security perspective, I urge you to consider at least two areas to scrutinize in securing the IoT devices that touch your life, whether it be your own personal home automation or your enterprise’s amazing new deployments in your smart office.
First off, look at the configuration settings for your devices. Turn off any weak protocols that might be enabled by default, including HTTP or even telnet. Yes, a fair number of IoT devices use those protocols by default. Most devices have an option for using HTTPS and ssh, allowing you to avoid the older, weaker, and (I’ll say it) obsolete clear-text stuff.
In addition, look at the configuration settings for authentication. Make sure you’ve got a good, strong password associated with device control and any authentication that happens to the cloud. Change default passwords to something else much stronger. Turn off any ancillary authentication mechanisms that you don’t need, like relying on your standard Google account or iCloud account for authentication. Instead, set up a separate account to control your IoT devices. What’s more, to increase isolation, you should consider setting up a separate Wi-Fi environment dedicated to IoT technologies, rather than having them ride across your existing home or enterprise network. Choose a crazy-hard WPA2 key for your IoT wireless LAN to help prevent nearby attackers from gaining access to your environment and the devices.
After reviewing and shoring up your IoT configuration, the second major area to consider is conducting a security test of the IoT elements of your environment. Of course, you can only do vulnerability scanning and penetration testing of the devices and the associated hubs you own and operate on your own networks (or with permission, your enterprise network). For the cloud-based systems that help control those items, you cannot scan or attack them without explicit permission of the cloud provider. But, even then, you can run a sniffer (such as tcpdump) to look at the messages your devices and hubs are sending to the cloud, scrutinizing them for clear text passwords and other mistakes. I spend a lot of time doing just that myself and have turned up some very interesting results to share with the vendors whose products I own.
I also ask you to encourage your vendors to conduct detailed penetration tests of their own IoT products and cloud environments to ensure that they are secure before they hit the marketplace. With calls from motivated, educated, and intelligent purchasers (especially from government or enterprise purchasers who are procuring large numbers of intelligent devices), we can help move the security of IoT devices forward faster.
Until recently, there hasn’t been a comprehensive description of the various components, protocols, tools, and techniques to use when conducting a penetration test of IoT devices. The folks at InGuardians, especially Larry Pesce, have been working to change that with their Internet of Things Attack Methodology (IoTA). From the same group that developed a detailed testing methodology for Smart Grid meters, the IoTA project includes a multitude of tips and recommendations for thoroughly testing IoT environments (not just the devices). You can read more about the specific areas IoTA covers at http://www.inguardians.com/iota.
IoT technologies are new, shiny, and exciting. But they represent an extremely complex technological ecosystem that has major security concerns. As an industry, we need to drain the swamp of vulnerabilities by focusing on secure configuration and thorough testing. There is a lot of exciting work to do here, especially as we move from individual devices to evaluating hubs and clouds, controlling hundreds to millions of devices. Let’s get to it!