The IoT Security Trainwreck

This shouldn’t really come as a surprise to anyone… but it inevitably will to a lot of people, so I think it’s worth discussing. We’re approaching a repeat of Windows 98-XP era security ignorance with the Internet of Things, small Raspberry Pi servers, and intelligent, internet-connected automobiles. These things can be made secure, but right now, for the most part, they’re not.

As difficult and unnerving as it is to create a product with over-the-air (OTA) updates, I think that that is our only forward-looking option. To illustrate my point, the recent glib.c DNS vulnerability opens nearly every Linux-based computer to remote code execution. This means not only our Linux PC’s and servers are vulnerable, but all our RPi’s, some WiFi routers, and potentially even some non-linux embedded devices that have borrowed from the linux codebase. This sort of issue isn’t something you, as a developer, can easily mitigate when the world doesn’t yet know it’s a problem.

It’s worth noting that Google is trying to make IoT Security easier with Brillo. I haven’t worked with it, but it’s worth looking at if you’re building an IoT product.

Additional recent news involves Director of National Intelligence James Clapper–the same person who “forgot” while testifying in court that the NSA is performing mass-surveillance–stating that the NSA might use IoT to spy on people. The only thing surprising here is that they spoke of it.

To protect yourself while still dabbling in IoT, some best practices are:

1. Stay up to date! Make sure your computers, routers, and network devices are kept up-to-date.
2. Put all potentially insecure devices on their own network (behind their own router). Ideally, you’ll have three distinct networks, in a Y-configuration. Router 1 connects to internet, Router 2 and Router 3 connect to Router 1. All secure things connect to Router 2, and all insecure devices connect to Router 3. More discussion is in this Security Now podcast. Note that with more advanced hardware, this can effectively be done all on one box.
3. Don’t use default passwords, especially for wireless router configuration.
4. Lots more, but I am tired. Feel free to add your own.

more:

This is Why People Fear the ‘Internet of Things’

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware…

This is one of the reasons I prefer to catch a wireshark of what and where data is going from my IoT devices.

I’ve also made products that are similar to IoT in that they’re wifi connected and allow for wifi-updates. To deal with them, I have an encrypted update method to reduce or hopefully negate the chances that the firmware will ever be updated to an invalid or malicious program.

I think some security measures are important but there’s a second edge to such a thing; If you are making something that is to be community driven, closing off updates to only come from one server or key set also closes off the ability for makers to work with them. A good solid understanding of what’s normally going on with the devices is pretty critical so open projects need documentation of what each of their parts does - which will in turn help adoption and acceptance of the thing.

Anyhow, that’s just my two bits

Yeah, ideally the OTA update mechanism will be made to only accept a signed and encrypted payload, and the secret keys will be different for every device.

If it’s not encrypted, a firmware update can be more easily reverse engineered to find the bugs that were corrected in the last update.

If it’s not signed, anyone can push updates to any device, providing they have MITM access or can find the devices through Shodan.

If the secret keys are all the same between devices, then one person dumping and reverse engineering the firmware is enough to compromise the OTA update security of all equivalent devices.

Regarding open source products, I agree there should be more leniency for custom OTA updates, but I still think security should come before convenience. If I was doing it, I’d provide a mechanism for users to upload new firmware via my website, to their device alone. Every device would have a serial number that “proves” you have physical access to the device. There would then be a secondary option for somebody to host their own clone of that web service, the only difference being that they don’t get access to all the world’s secret keys! Third, you’d probably have the ability to flash it over USB if you wanted custom firmware without using OTA updates.

Still, I know I’m missing some essential considerations, and even in knowing all the feature requirements, good security is an incredibly hard thing to do right.

Sounds like a great vector for the NSA to have access to OTA updates

At risk of opening a huge can of worms, I would insist that any product, open or closed source, should ultimately be under control of the owner. The end user must have a way (not necessarily easy…) to manage the trusted keys on their device. That includes removing your trust relationship as well as adding their own.

Hello, been to the space a couple times, but not often as I don’t build many gadgets but have a fairly strong interest in computer security. Basically, I like hacking stuff and knowing the worst possible way someone could abuse a device.

The IoT fad, frankly, is ridiculous. Fears of the NSA/FBI snooping aren’t the problem. The bigger problem is the neighbour you pissed off or the malicious teenager that just likes damaging things. The best way to stay safe is to simply NOT buy any device that has a computer chip in it without any legitimate reason. If its a toy, or a fun little project, okay. Other stuff, like wifi controlled lightbulbs (honestly, why?!) are just unnecessary but aren’t likely to cause any harm. Anything that could cause a serious problem if a malicious teenager got control, avoid. By the way, if you come across a device that is a wifi-enabled version, for almost the same price as the normal one, what do you think the budget was for making that device secure?

For example, in the news just a few days ago:SimpliSafe Security System Hack
Basically, a home alarm system had wifi so you could disable it with your phone (why?) and it can be easily hacked. “Update: A Simplisafe representative sent us a link to a response posted on the company’s website after this article was published. The post argues that Zonenberg’s hack was highly unusual and sophisticated and has never been reported in an actual crime.” It wasn’t that sophisticated. Similar security attacks have been done over and over again. A replay attack in this day and age should not be that easy. That is the mindset when it comes to security for some of the companies rolling out this crap.

Basically, if it doesn’t need wifi, and you don’t have 100% confidence in the security team of the company making it, don’t use it. One device I’ve seen popping up lately are “smart” thermostats that you can control from your phone. Whats the worst that could happen right? Maybe someone messes with you a bit? Or maybe they wait until you take a winter vacation, turn off your heat entirely and you come back to burst pipes and tens of thousands in water damage. Yeah, NSA isn’t even on the radar when it comes to concerns from these devices.

If there is any serious harm that can be caused by a device having wifi, the best option is to just buy the one that doesn’t have wifi.

What happens when the manufacturer decides it’s no longer profitable to continue issuing updates for old products ( ie. Google and the Galaxy Nexus, there are still millions of those phones out there ) or the manufacturer goes out of business?

Wouldn’t encryption of the firmware force a planned obsolescence into every IoT device? Increasing the consumerism and waste as perfectly good hardware goes to recycling?

Security by Obscurity ( encrypting the firmware to prevent detection of software bugs ) is not a solution.

Preventing updates by third parties forces the consumer to be a slave to the business plans of the manufaturer ( ie. Farmers vs John Deere )

There are no shortcuts to security, the only true solution is for manufacturers to spend the required resources to write good software. If you review the vast majority of the recent IoT hacks, they are caused by poor development practices ( default, simple to guess passwords, development tools leaked in the firmware such as telnet or busybox, lax programming when handling I/O data ).

In my opinion, the reality is that the current market is driven by such low profits, short development cycles, and competition, that a manufacturer risks a failed product if they spend the resources to properly secure a product. Look at the amount of research and resources that were put into securing the playstation(cracked), X-Box(cracked), playstation 2(cracked), etc. All those products used encryption and software signature verification.

Encryption and signatures will not make the product more secure, it will only allow the manufacturers to hide their lax programming practices.

If security is legislated, then manufacturers are going to cry foul and demand additional protection against reverse engineering and stronger legislation to protect software patents. You may end up with a marketplace that has such a high entry cost that the small innovators, like those on kickstarter, would be sued out of existence in the name of security by large corporations that do not want competition. (There are several XYZ gantry designs that operate quite well but are protected by patents, so you don’t see those in the amateur 3D printing market, same thing with UAV software algorithms and robotic arms.)

So, if you ask me, encryption is good to protect data during transit, signatures are good to verify who sent you the data. Any other use of cryptology is misguided, specially using crypto to hide software flaws.

I agree with most of your comment, but these game consoles are all cracked by people who have physical possession of the devices. That’s not an easy attacker to defend against, and a completely different case than security against attacks over the internet.

I wouldn’t buy and install an IoT device that didn’t allow me control of the firmware. And not through uploading to some cloud service either - put a USB or pin header programming interface on the thing and at least lightly document the hardware. I’m not asking for customer support, just an avenue of protection from your firmware gaffes and end-of-life business decisions. If your device is actually useful for something, a github repo will appear eventually. It may even result in a few more sales.

Well, yeah… if the NSA (or anyone) had physical access to a device that is now in your house, all bets are off.

I agree. That’s what the second and third options I proposed would allow. I guess I didn’t clarify that if the user moves to local or self-hosted OTA updates, their devices would no longer accept updates from my servers. The three options are just to provide accessibility; there’s not much value in providing such a feature if most users who want it give up because it’s too hard. But at the same time, it needs to be made clear to the user that by taking responsibility for the device’s firmware, the onus is on them to keep it updated and secure (and functional).

I mostly agree with everything you said. Although the NSA isn’t much of a threat to most people, though, each of these devices is a potential entrypoint to your home network, and if they (or any malicious user) can compromise even a lightbulb in such a way that they can communicate via HTTP to your network router, they have the opportunity to reconfigure it, open up ports, flash custom firmware… there may not be a lot of useful information on IoT devices themselves, but it’s a problem when they’re on the same network as your computers.

I think we can look at Apple as the (current) high bar of security right now. Sure, xbox and PS2 eventually fell, but that’s because they did it wrong. Apple still has problems (if you can jailbreak your iDevice, it’s because a critical flaw exists and hasn’t been patched), but their architecture and platform is as secure as any consumer device of comparable complexity we’ve ever had. Now, I’ll most likely never own one, but for people who just want their product to work, and don’t care about customization, planned obsolescence, etc., Apple is a compelling option.

When Microsoft pushes windows updates, they (at least sometimes) start by doing so in advance of installation. These updates are encrypted so that hackers cannot yet see what has been changed. When it’s time to install, Microsoft sends the decryption key to the machine, and then the update proceeds. At that time, you can take a diff of the OS and see what patches were made, and start designing attacks that exploit the bugs that were fixed in this patch. Yes, it is security through obscurity, because they’re hiding the evidence of bugs until the bugs are fixed. But they can do it, and it does help, and I think it would be irresponsible of them not to do this. Sometimes obscurity is more secure.

But yeah, given consumer expectations, the current market, and the profit models involved, there is such little incentive (or ability, even) to create a long-lived product that is maintained secure and compatible. I don’t have a good solution for the kickstarter projects of the world. It’s a big challenge; one that even large companies often fail at.

Thanks for all the comments!

Reference? As far as I knew, Microsoft updates are not encrypted, only signed.

Sorry, I can’t find any reference. Maybe I misheard on a podcast or something, but that’d be so long ago, I don’t know how I’d find it. Probably best to assume I’m wrong for now!

Many people do not believe it is possible to have privacy and law enforcement with IoT.
IoT are connected to the Cloud providing data for early safety preventative maintenance and early medical condition screening/diagnostics.

But in reality these people who believe it is not possible to have both privacy and law enforcement are very wrong. Giving up privacy and enabling the law enforcement branch of government unrestricted access to private information unrelated to investigations is extremely dangerous. It is only a mater of time before the Government uses its access for political gains to suppress opposition.

Achieving privacy while meeting the requirements of law enforcement requires publicly verifiable codification of laws. Such that IoT devices ONLY report violations. A good example of this is trucking mandatory log books, maintenance records, weigh scale and speed recordings. Only violation events should be reported to enforcement and the accused party given opportunity to explain the situation in court. There may be many legitimate reasons for violations.

I also would take action to change the sale of spectrum to a spectrum lease. The reasons for this will take more explanation.

Totally agree. Before I buy a router, I make sure it’s supported by OpenWRT.

Even better would be to use a dual-NIC PC running an LTS OpenBSD or Linux distro.

Another part of the problem is that the software inside IoT devices has become a giant Rube Goldberg machine. There are millions of lines of code in devices that have very simple functions. For example, Google’s Brillo will be a stripped down Android, which they plan to run inside door locks! With all that code in there, how can they possibly ensure that all of it is bug free, let alone secure?

We need to get out our machetes and hack away all this unnecessary complexity. Get back to basics. Maybe even start from scratch.

Of course, that’s no small project. It is MUCH quicker and easier to pull down a working Rube Goldberg machine and add or change some small part of it.