IoT security and Waiting for Godot
HP Security Research has just issued a report on the state of security on the many wireless sensor, machine-to-machine networks that make up the Internet of Things. It should be taken seriously by any embedded developer looking to take advantage of the explosive growth in this market segment.
The study focused mainly on the consumer IoT segment, which is only loosely regulated and where there is no encompassing security/safety standard that all the players must adhere to, such as there is in medical, industrial, automotive and mil/aero markets.
The study looked at ten of the most popular IoT devices, uncovering, on average, 25 vulnerabilities per device, totaling 250 security concerns across all tested products. The IoT devices tested, along with their cloud and mobile application components, were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers. The report found that the most common security problems in these devices included:
1. Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials, and health information. Moreover, 90 percent of tested devices collected at least one piece of personal information via the product itself, the cloud, or its mobile application.
2. Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as “1234.” In fact, many of the test accounts HP configured with weak passwords were also used on the products’ websites and mobile applications.
3. Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet, or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
4. Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials, and credentials transmitted in clear text. Seventy percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
5. Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted, and mounted as a file system in Linux, where the software could be viewed or modified.
I wish this was all news to me and that I felt confident substantive changes will be made as a result of the report. But for anyone who follows security issues in this increasingly connected world, none of the problems described in the report are new. They occur often in devices now being used and except for rare exceptions, continue unresolved.
HP chose what it says are the most popular wireless sensor, machine-to-machine and home networking-based Internet of Things products being offered to consumers currently. I would like to think that many of the security problems are due to companies rushing to get new consumer IoT products out the door and that they are waiting to see how well they do before making the necessary fixes.
But in many cases, the only thing new is the IoT designation. Many if not all of the various categories of devices have been available to consumers for several years. And for all of those years, the security problems have been identified and reported on, but, as far as I have been able to determine, have not yet been dealt with.
So why have identified security fixes not been performed? The problems and their solutions have been described in technical articles and conference papers linked to on Embedded.com. Security experts at conferences such as UBM's recent Black Hat USA 2014 are constantly reporting on the various kinds of hacks that occur AND how to fix them. Several recent blogs and Embedded Tech Focus newsletters have dealt with the security flaws relating to Android, and the problems of tainted data on connected devices and some of the tools to deal with them.
It’s not that embedded developers are unaware of the problems. Given some of my conversations with developers, and the attendance numbers for sessions involving security at meetings such as the Design Automation Conference, EE Live's Embedded Systems Conference or at UBM's Black Hat, I am convinced that developers are sincerely interested in dealing with the problems.
So, is it that the hackers are winning and are introducing security attacks at such a rate and of such bewildering variety that we are unable to keep up?
No, I think the answer to the continuing security problems has to be at the corporate level, with the executives, accountants, and vice presidents of finance of the firms building the devices and/or the software apps that run on them.
Given a choice between making a profit now versus taking a slight hit on return on investment by spending some of that money on a problem that hasn't yet happened but might in the future, my guess is that the decision makers are going with the near term certainty of a profit and cutting corners on security. As Levi Gundert points out in a recent blog on UBM's Dark Reading, the cognitive bias against dealing with potential but not yet occurring problems is a common one when it comes to corporations and security.
Unless something catastrophic happens or an industry wide standard or government mandate is imposed to force the issue, I do not expect much to be done, thus the reference in my blog title to a two-act play by Samuel Becket called "Waiting for Godot,” in which two characters wait endlessly and in vain for the arrival of someone named Godot, who never appears.
That is what I feel like when I read yet another report about security or the lack of it on the Internet and in the Internet of Things. Except for partial fixes, nothing really all-encompassing will be done. Just as in the play, we all keep talking about security and the solutions that we all think will be necessary, but they will never come to be.
I am also reminded of Saturday Night Live's classic 1970s TV comedy news skit titled “Generalissimo Francisco Franco is still dead.” The fact that the Dictator of Spain was still dead was repeated for weeks and months after the fact on Saturday Night Live’s regular newscast parody with Chevy Chase. I’m reminded of this skit because we all read or hear again and again about the pervasiveness of security issues in mobile devices and the IoT. The news is always the same because nothing changes.
So, in this case, security on the Internet, on smartphones, and now on the Internet of Things is still abysmal and getting worse, and the companies providing us with all these wonders appear to not care. So we are all left waiting for Godot.
Embedded.com Site Editor Bernard Cole is also editor of the twice-a-week Embedded.com newsletters as well as a partner in the TechRite Associates editorial services consultancy. He welcomes your feedback. Send an email to firstname.lastname@example.org, or call 928-525-9087.