Preventing the weaponisation of IoT

Cesare Garlati, Chief Security Strategist, prpl Foundation, discusses the potentials and pitfalls of The Internet of Things.

The Internet of Things is rapidly turning a new generation of products ‘smart’ by adding computing power, network connectivity and sophisticated software, offering a wealth of possibilities for tech savvy owners keen to push their device capabilities to the limits. But at the same time there are logical reasons why lawmakers and regulators need to lock down certain functionality – for the safety and well being of their citizens.

Though the Internet of Things may be transforming our homes into data centres before our very eyes, unlike in the data centre, we don’t have IT professionals on call to manage, patch and secure these systems. Already in 2016, there are reports of LG Smart TVs being targeted by scareware, for example. Many home users are unfortunately unprepared to deal with such events. They need to wake up to the fact their innocuous-looking domestic IT could be hijacked by cybercriminals, with potentially serious consequences. Indeed, industry and regulators also need to take action – to force manufacturers to improve the security of embedded computing products.

Complexity breeds insecurity

IoT innovation is everywhere, and it’s becoming ever more pervasive. In the house there could be a smart TV, home entertainment hub, smart router, connected fridge, smart toaster, IoT kettle, washer/dryer and so on. Even the garage doors and lightbulbs increasingly feature embedded, internet-connected computing systems. That’s not to mention automobiles – where everything from vehicle emissions to the on-board entertainment system, and even steering and braking is controlled by tiny sensors, software and silicon.

This new wave of IoT products might be highly intuitive on the surface, but even the most tech-savvy consumers would have problems identifying and patching the growing collection of smart products in their homes. What makes matters more complex is that many manufacturers don’t release timely updates for their products, if at all, as they are not designed with security in mind. The firmware is left unsigned, which means if an attacker can reverse engineer the code they could remotely modify, reflash and reboot the device to execute arbitrary code. And too often lateral movement is allowed, meaning hackers can pivot inside a targeted system until they find what they’re looking for.

Even with an IT administrator on hand in the home, we would struggle to lock down this kind of risk. So what could an attacker actually do by exploiting these firmware ‘design flaws’?

  • The so-called ‘SYNful Knock’ attacks discovered in 2015 showed how likely nation state actors managed to modify the firmware image of Cisco routers to achieve persistence inside victims’ networks. Data theft and further malware installs/intrusions into parallel systems were made possible.
  • Remote control of a smart device or embedded computer could allow an attacker to turn that device into a bot to launch DDoS, click fraud, information-stealing attacks and much more. One IoT device on its own is about as powerful as a BB gun. But imagine what you could do with a million BBs, all focused on one target? IoT devices are perfect for this purpose: always on, always internet-connected and with fatally flawed architectures that can be exploited.

Time for change

Good security is at least half about good management of the product. Yet the consumer technology industry prioritises the user experience over everything else. Regulators must understand this and so should impose a bare minimum standard for security updates – forcing manufacturers to administer these, so devices are not left unpatched for too long.

If there is this shift of responsibility from the end user to the vendor, it demands a secure infrastructure extended into the device itself, for instance:

  • Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof. This would have prevented the attacks on Cisco and others.
  • Hardware virtualisation – this enables separation of each software element, where a system can be designed that keeps critical components in secure isolation from the rest and preventing lateral movement. This can allow consumers to enhance and modify their products whilst crucially allowing regulators to prohibit and lock down modification of any function deemed too dangerous.

As the Internet of Things and connected embedded computing begin to permeate every part of our lives, we need to come together as an industry and rethink our approach to securing and managing these devices before they are turned into weapons against us.

Edited for web by Cecilia Rehn.