IoT and the lurking botnets

The world of connected devices is growing rapidly. Everything from smart lighting to refrigerators to connected cars all hook into an ever more hyperconnected world in the name of efficiency and convenience. But the promise of smarter, more intelligent products are under threat from botnet operators. As individuals, societies, and nations grow more dependent on these connected devices, the potential collateral damage increases accordingly if adversaries succeed to compromise the very same devices.

Once a device or fleet of devices have been compromised, the best line of defense is to patch these devices to regain control. But the reality we are seeing today have product developers and device manufacturers underestimate the need for IoT security. Many lack the necessary skillset (and budget) for effectively preventing their connected smart products to be hijacked. Unfortunately, rushed development always leads to quality and security taking a backseat.

Botnets are a major threat for the IoT

A botnet consists of fleets of compromised connected devices. Adversaries have successfully penetrated these devices so they can be used for DDoS attack, steal data, send spam, take control or conduct other malicious activities.

Botnet operators offer their services on well functioning market places, where anyone using crypto currency, can buy access to as many compromised devices as they like and use them for whatever malicious activity they desire. Mirai is an example of malware that has been used to penetrate millions of devices. Once the penetration gets big enough, a botnet can take out companies websites. Mirai has so far caused serious issues for widely used online service like GitHub, Twitter, Reddit, Netflix and Airbnb.

However, this is just the beginning. Recent news reveals bigger botnets in the works that might have the potential to take out entire nations. Vulnerabilities from famous vendors like D-Link, Netgear, Linksys and similar vendors build their products on Linux, allowing a new botnet to grow at a rate of 3,000 -10,000 new devices daily. It is only a question of time before access to these devices will be offered for sale. The demand for botnets fuels the innovation and investments in finding new vulnerable devices to compromise. It is a vicious cycle.

IoT is a mess

The security state of IoT and connected devices is dire. For the vast majority of connected devices one of two is true; 1. The device cannot be patched or fixed if compromised. 2. The device relies on an insecure homegrown remote over-the-air updater solution. If you combine this with the accepted industry standard of 1-25 bugs per 1,000 line of software code, this means most devices are likely to become vulnerable at one point.

We welcome industry initiatives like A Firmware Update Architecture for Internet of Things Devices by the Internet Engineering Task Force (IETF) and similar ones, but much more will be needed. First and foremost producers of connected devices need an inexpensive way to be able to patch vulnerable devices.

This is why we made Mender.io, an open source project that in short time has probably become the world’s most popular end-to-end over-the-air (OTA) updater for connected devices. We are on a mission to eradicate all poorly implemented homegrown solutions and educate the rest about the importance for all connected devices to be able to recover from exploited vulnerabilities. Fortunately, we see a growing number of the most forward-thinking companies implement state of the art solutions, such as Mender, but much more is needed. Good security products will not suffice alone. The problem has deep roots.

Governments are late to the game

Governments around the world takes cyber security seriously, but their ability to respond to the many threats is feeble. In the US, which seems to be the furthest along in the fight, have launched initiatives like “Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching” by the National Telecommunications & Information Administration, which helps put the OTA problem on the agenda, but one can realistically expect little real impact of the outcome from such process/best-practices oriented initiatives. The risk remains in the real-world implementation.

The proposed “Internet of Things Cybersecurity Improvement Act of 2017” which seeks to ensure that all connected devices purchased by the US Government must have OTA capabilities to repair vulnerabilities, will hopefully pass and become effective one day. Unfortunately, this bill has a long way to go and faces serious obstacles. Further, if passed it only affects governmental organizations. Can we expect governmental purchasing behavior to lead the way for private industries?

In January this year, FTC charged D-Link of putting consumers’ privacy at risk due to the inadequate security of Its computer routers and cameras. The effect and results of this remains to be seen. If you noticed above, D-Link is one of the compromised vendors.

As mentioned, the US Government has taken a leadership role in this fight, but even so, they are losing ground. It is obvious that significantly more public attention should be directed towards this issue around the world.

Companies accept the risk

A primary role of governments is to protect and take care of its citizens, and therefore have clear, undisputable incentives to be more in control. Private companies on the other hand mainly run the risk of brand damage, followed by temporary operational costs to repair. Unfortunately, most companies seem to find this risk acceptable.

According to a study conducted by Forrester Consulting on behalf of ForeScout in August 2017, of 603 IT and business decision makers with involvement in their organization’s network and data security processes, 59% said they were willing to tolerate medium to high risk in relation to IoT security compliance. Combine this with 77% of companies saying that IoT creates significant security challenges, it is clear that IoT security remains low on the priority lists of senior management.

Fiat Chrysler suffered great brand damage as their Jeep Cherokee got hacked, and they had to recall 1.4 million cars. Their future models surely will have OTA solutions built-in, as will be the case for most cars and self-/smart driving vehicles. But what happens after the warranty period? For Fiat Chrysler, it will be a net loss to provide patch releases to cars out of the warranty period. Should vulnerable cars be mandated to be taken off the road?

In the automotive industry the value chain appears transparent. In smaller, cheaper consumer products such as web cameras, the situation differs greatly. Web cameras, along with routers, belong to the category of the most exploited products. Who should be responsible for fixing vulnerabilities in a white-label web camera assembled in China, distributed worldwide by hundreds of distributors to companies that put their own name on the device before selling it through retailers over the counter to anonymous customers? The chain from manufacturer to end user is untraceable. The result: Compromised web cameras remain at an adversaries disposal until the customer unplugs the web camera.

Conclusions

So far the botnets are ahead. The ability for the current generation of connected devices to recover from vulnerabilities can best be described as slim. Governments around the world have yet to take this problem more seriously. The private industry is waking up and preparing for OTA capabilities on their higher-end products, but smaller and inexpensive connected devices and products out of warranty seem to be left behind. Senior management seems, for now, to be willing to accept the risk of having IoT security gaps in their portfolio.

This is a hard and serious problem. What should be done? There is no clear answer, but it will be very interesting to see the consequences of EU’s General Data Protection Regulation (GDPR) taking effect next year. GDPR puts great responsibility on companies regarding their handling of private consumer data. The goal is to prevent us from the next Equifax and Yahoo’s loss of hundreds of millions of sensitive consumer data. Failure to comply with GDPR will have serious consequences and can lead to fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater). There is great hope this new regulation actually will lead to a shift in the industry and how players relate to security.

If GDPR succeeds, maybe OTA should be next in line? There might be ways to, through legislation, enforce the industry to better protect and be able to recover from compromises of connected devices the same way GDPR paves the way enforcing the industry to improve on privacy.