“It’s time to ‘wake-up’ to the insecurity of IoT devices!”

Sarb Sembhi demonstrates the need for all stakeholders involved in the manufacture and utilisation of IoT devices to be aware of the potential pitfalls in poor cyber security standards, highlighting previous and current malware attacks that should be seen as an urgent wake-up call to the industry.

Wake-up to the wake-up call!

The future of smart environments seems to be brighter than ever – everyday there are analyst reports marvelling at how good these will all get in the next few years. However, only a few years ago smart environment devices were given a wake-up call that they are not secure and can be hacked remotely.

The wake-up call in September 2016 about the Mirai botnet seems like too distant a memory. For those unfamiliar with it, the Mirai malware was a piece of malicious code that scanned for and compromised IoT devices using common factory default usernames and passwords – see my last article on the importance of the upcoming IoT Code of Practice. The malware allowed the device to function fairly normally, yet also made the device part of a network of controlled devices called a botnet, which was then used in force to launch the greatest single Distributed Denial of Service (DDoS) attack on a single website (around 620Gbit/s).

If this wasn’t a wake-up call in September 2016, the following month the Mirai botnet attacked the internet DNS (Domain Name Service) provider Dyn, which brought down services including Twitter, Netflix, Airbnb and many others. Also, the authors of the code made the code publicly available, which led to several additional iterations of the malware.

The Mirai malware did make some IoT device makers, purchasers, users, installers, facilities staff think about changing default passwords. There is a realisation and acknowledgement that the advances in technology can be used for good as well as bad, and that security of IoT devices is important. The response to such attacks on IoT devices and systems from cyber security professionals has included several standards and frameworks, which have always included no default passwords at the top of the lists.

However, time has passed, and memories are short. The improvements in the security of products, installation and maintenance in smart environments have not come as quickly as cyber security professionals had hoped. What we know is that often malware authors try things as proof of concepts and that they explore what-ifs, and that if Mirai was just a first phase what-if, then what is coming next? Sometimes each phase of the what-if proof of concept takes a few iterations before it has been identified as the next phase.

Current IoT security concerns

In early April 2020, an anti-malware vendor stated in a whitepaper: “Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen.” It is called dark_nexus IoT botnet.

So, what makes this malware something to worry about in relation to smart homes, smart buildings and smart cities? In short, everything. It has been designed to be used to take over devices, hide itself in ways not seen before, tweaked 30 times in a three-month period, compiled for 12 different CPU architectures and using a new persistence tactic by removing device restart permissions, etc.

Are we there yet?

A few years ago, I was at a security event and the speaker gave an analogy of when you have done the hard work of getting ready for an attack of any sort, we should consider that as being ground-zero. The speaker talked about how climbers who climb Everest have to climb for several days to get to the starting point, which is actually considered to be ground-zero for the actual ascent. I often ask, therefore, are we at ‘ground-zero’ for securing our smart environments?

My belief is that we are not even there yet, because in reality we have not started our journey to reach ground-zero. That journey must start with smart environment owners, manufacturers, installers, facilities staff, support and maintenance staff, etc. all working together to ensure that our devices and systems cannot be found and identified, logged into via default passwords, have security patches applied quickly, etc. Like risk, there may be a few individuals who are paid to have overall responsibility for strategy, audit, governance, but in reality everyone in every business has a role to play.

It’s not too late to get started

This latest botnet malware had only infected nearly 1,400 devices at the time the report was written, but still managed 30 updates in 90 days. This indicates that it is early days for this malware and unless everyone plays their part in getting the message out there to specify, procure, deploy and maintain secure devices and systems effectively, any number of us may either end up as part of the botnet (where our devices and systems are used to attack others), or be the target of attack by other compromised devices and systems.

Each of us can play our part in whatever small or large action we are able to take, whether it is to refer someone else to the current standards and guidance for securing devices and systems or it’s developing the functionality to secure such devices and systems. The criminals innovate quickly, often and efficiently.

What can all stakeholders do to improve IoT security?

Manufacturers need to focus not just on adding functionality into new devices, but also consider additional security into existing devices which are still supported. We cannot forget existing products, and manufacturers have a big role to play in the security of existing products.

Building owners, specifiers and procurement officers have important roles to play in new and existing devices and systems. They should all be using their relationships to force manufacturers to secure devices and systems. They should not fall into the trap of accepting that the new versions are secure with lots of functionality – I believe that no user of any existing in-support system should accept future purchases from any manufacturer who isn’t willing to fix or add at least the basic security stated in the UK Government’s Code of Practice, due to become law for consumer IoT products (or the ETSI Standard).

Integrators and installers also need to up their game, as they may come in for criticism if they didn’t change the default passwords in devices and systems previously installed. They should be in conversations to look at how they can help their customers to make the changes over time as they plan their maintenance visits.

Facilities teams who use these devices and systems on a daily basis need to set in motion reviews or audits to identify where their systems are in terms of security and plan what needs to be done.

Unless we all play our role in securing smart environments their innovation in making our lives better for us and everyone around us will be meaningless compared to the innovation that cyber criminals have. If we don’t start doing what we need to do the devices and systems may be owned by us physically, but logically they may be controlled by criminal gangs who hire your devices out on an hourly basis to attack you, your other systems or anyone else’s systems without you knowing anything about it.

Industry guidance

There is plenty of guidance out there produced by professional bodies around the world. The BSIA is producing guidance for integrators and installers, which is at internal review phase at the moment and should be available in the coming months. The IoT Security Foundation is also working on guidance for building owners, manufacturers, systems integrators, and facilities professionals, which we are compiling with several industry and professional bodies, due to be launched later this year.

There is no shortage of standards, frameworks, industry and professional bodies guidance around the world, we all just need to play our part in making our smart environment owned and enjoyed by the stakeholders who were the intended beneficiaries – not cyber criminals.

---

Read Sarb’s previous articles in the series, below:

1. Why should physical security professionals learn cyber security skills?
2. The impact of IoT security for consumer devices