During a talk given by Mark Stanislav and Zach Lanier from Duo Security the problem was laid out and a solution presented. According to Mark and Zach the problem boils down to the unprecedented growth in this market segment. It is not hard to build and sell an IoT device, in some cases the investment cost could be as little as $25 for the basic hardware while the services used to connect these products are typically through multiple vendors using wildly different standards and even methods of communication.
To sum it up, it is likely that your new device was built by someone that spent very little on the hardware (probably old), has little to no experience in security or attack mitigation, and is using multiple common web services on the net again with little or no security. It is what Mark and Zach dubbed the "Wild West of Mixed Tech". There are no real standards or mitigation efforts at the hardware, software, or service level. This leaves these devices open to a wide range of attack and, to make things worse, the compromise of one device can mean compromise of multiple devices from different manufacturers.
But wait there is more! On top of the fact that many products are built poorly in the first place there is also an issue of updating them when there is an issue. Right now one of the most commonly exploited problems in IT security is a lack of a proper update cycle. This is at the enterprise level so you can imagine what it would be like at home where someone might not even know there is an update, much less how to actually get it in place. This could potentially leave a large number of flawed, unpatched, interconnected devices in your home or at work.
Mark then went through a list of known flaws in currently available (and used) devices that all had flaws so basic they should never have seen the light of day. Still they are there and the flaws range from the firmware (with hard coded user names, passwords, SSH keys and worse) to the mobile apps that control them. There honestly are far too many to list here and most of them have been covered quite well.
The combination of unsecure web services (by multiple vendors), old or flawed hardware, bad software choices with existing vulnerabilities, and no real mitigation or QA testing have turned IoT your basic IoT device into a "magical box of terribleness".
So what can we do to change this? Well one thing is to take a look at the devices and see if they really make sense. Do we need a connected egg tray or even a WiFi enabled light bulb? What is the really purpose of these? Imagine being hacked because of an egg tray or a light bulb... that would be a little embarrassing.
Manufacturers need to bring on or contract people that are experienced in security to ensure there are basic mitigation systems in place. They also need to make sure that the services they are talking to are using secure communication (proper session IDs, SSL, encrypt the data etc). We need to see companies stop trying to hide things in their firmware or embedded operating systems. If you drop it in there, it is not hidden and someone will find it.
Another item that we have talked about before is to remove the generic user accounts for support and also core access. These are never a good idea and are far too easy to exploit through memory dumps or scanning a binary for information. Once these accounts or SSH keys are found someone can exploit an entire product line. ... Oh yeah NEVER, EVER, use telnet.
Taking a step back some of the flaws in IoT devices can be mitigated by pushing the service providers to tighten up security around their services. With some services it is possible for an attacker to view data before any authorizations given by simply asking to connect. The information is dumped and viewable as soon as the request is put in. We have seen this on a number of fitness related devices (think creepy stalker).
We also need to see more focus on open source tools that are used for security. The Heartbleed bug is a perfect example of where an open source service was hacked to allow sessions to be broken into. There are still an extremely large number of devices and servers that are still not patched to stop Heartbleed making this a very bad issue indeed and also goes back to our point about updates and patches for devices.
Lastly, and this is a big one, companies need to be more open to security researchers when they reach out to them with a new flaw. It appears to be a hard concept to grasp that when someone calls you to inform you of a problem that they are not looking to use it against you. Instead they are trying to help improve the product. This last one is important as smaller companies can leverage this research to make a better and more secure product. In fact there are several organizations that are trying to build a better class of IoT product. One that is out there is BuildItSecure.ly which is a group of engineers and technology partners that are all working on this.
We just hope they can fix it in time before someone brings a corporation down with a WiFi Light bulb..
Tell us what you think in our Forum