How can we improve IoT device security for us and future generations?

Sarb Sembhi highlights the concerns raised over IoT security devices in a recent report, and asks what everyone can be doing to better protect their devices, employees and families.

“Daddy, what did you do during the war?”

Growing up in the UK, the title question was one we often heard in the movies. Will our families be asking us what we did to protect them from the current bad things going on in their lives resulting from vulnerable devices?

Protecting those in our charge, employees and families alike

Everyone likes to believe that their parents play a key role in protecting them, whether it is to fight in a war to protect democracy or to keep them safe in other ways. It is our duty as parents, and employers to protect those that we are responsible for. In the last few weeks there have been three news items which lead me to believe that we need to be doing a better job than we are doing to protect those we are responsible for.

The Enterprise of Things Security Report is a worrying read about the risks IoT devices in enterprises pose. The report from Forescout uses data collected from over eight million network devices across all industry sectors. There is a breakdown by industry, operating system, types of devices, and plenty more.

Across Financial Services, Government, Healthcare, Manufacturing and Retail, the riskiest device by vertical were HVAC devices, which were in the top 10 for all five sectors and second in three of them. IP Cameras were in the top five riskiest devices in four of the five verticals. Furthermore, Uninterruptible Power Supply (UPS) was in the top three of the five verticals, and Programmable Logic Controllers were in the top five of four of the verticals.

In the report’s top 10 riskiest devices, the top three were:

• Physical Access Control
• HVAC
• IP Camera

The key problems being: Telnet port 23 being left open on access control and HVAC systems, and these systems having critical vulnerabilities, as well as network cameras being vulnerable or configured with network ports 21 and 22 left open.

This report is and should be a worrying read for anyone working in physical security. Either your organisation made these devices, has these devices, or manages these devices – or may even installed them on someone else’s premises.

Read the full Enterprise of Things Security Report.

Closer to home

The next news item of note has the headline: “Billions of smart home devices open to attack: What to do?”

So, if we thought our business, enterprise or work environment is safe, what about our homes, where we are responsible for our loved ones? This item is about a vulnerability in a network protocol, and readers may be saying, “Surely, you can’t blame us for that?” Yes that is true, and I wouldn’t do that, but my point isn’t to blame. Merely that because this is a vulnerability that affects all devices, as it is network protocol issue – to reduce the risk, users would need to turn off the Universal Plug and Play (UPnP) in their device.

This protocol often has a default setting as being ‘on’ in devices, as I was reminded recently. I recently changed my ISP to a business provider for my home office. And as anyone should do, I locked it down as soon as the engineer had walked out of the house. In doing so, I found that even today (end of June 2020) routers are being supplied with UPnP on by default. This means that it is left to ordinary people to know that they should change this.

---

Read more from Sarb Sembhi…

• The impact of IoT security legislation for consumer devices
• “It’s time to wake-up to the insecurity of IoT devices”

---

This is unacceptable, and I could go on about this, but won’t, as it is only half the story. This vulnerable protocol is implemented into several thousands of devices already out there, both in business/enterprise devices, as well as home devices – no one can avoid it. This vulnerability will be fixed, as such things are. If your device is from a responsible manufacturer who has automatic updates available on the device, you should be fine from that point. However, many consumers often pick the cheapest products with the best reviews – which are not always from the most responsible vendors for security updates.

So, buying the cheapest is not the best, and leaving default settings unchanged is not always the securest. Many manufacturers often set default settings not from a user security perspective, but from one that would enable the device to send back any information that they may want to keep track of the device and its use, which means ports that shouldn’t be open will be open – leaving the device vulnerable (as the Forescout report above found in its research).

We can’t evade our responsibilities

Finally, the last news item headlines read ‘Knoxville, TN still quiet on details of cyber attack’.

The city of Knoxville shut down its IT network after a ransomware attack in the middle of June 2020. The report stated: “Officials believe that it was caused by an employee mistakenly opening a phishing email but was not detected until it had infiltrated multiple systems.”

“Hold on, this has nothing to do with physical or cyber security devices I hear you protest!”

True, but it has to do with users and people doing the right things. In a home environment we do not have all the security that may exist in the work environment (unless we work in cyber security), meaning we have to be extra vigilant when opening messages, answering calls, opening links on social media, etc. Not only do we have to be extra vigilant due to the lack of security, but also because we most likely have many devices that are vulnerable and have opened up ports by default unknown to us.

This is the point I’m making; most people assume that they purchase secure services (just like I had done with my ISP and its router), and we rely on them to be configured securely. However, it doesn’t end there, we purchase devices in the same way and don’t have the technical expertise to do otherwise, so how on earth can we answer the question: “What did you do to protect us, Daddy?”.

The chances are this question isn’t going to be asked by a youngster who understands how to use the technology, it’s going to be asked by seven to ten year old who has been using technology for a few years and has assumed similarly as their parents have, “Why would my mum and dad give me this device to use if it is going be bad for me?”

Demand better security or learn to secure

This reminds me of a conversation I had with a German friend of mine back in the 80s. I asked him why German cars are some of the best and the British car industry is not doing well. His answer was: “Your British are very inventive. When your car leaks oil, you put something underneath it to capture the oil. When a German car leaks oil, we complain to the manufacturer.”

The only way we are all going to get better security by default isn’t going to be if we all become cyber security experts, but by becoming more discerning customers of the product we choose, and what we do about lack of security (or quality) that we should have expected and received.

If we do that as employees, parents and those we are responsible for, the chances are we are unlikely to ever get asked any embarrassing questions about what we did or didn’t do to protect those people we are responsible for.