It seems every day there is another article about how “vulnerable” the Internet of Things (IoT) is. Here are two choice excerpts from the last year:
- “Hackers Remotely Kill a Jeep on the Highway,” Wired, 21st July 2015
- “Security Researcher Claims to have Hacked into Flight via Entertainment System,” CNN, 19th May 2015
While these are major life-threatening issues – one cannot compare a malicious actor disabling your iPhone while you are on it with someone talking control of your car going 110 kmh down the highway, let alone a plane flying at 35,000 feet and 600 mph! – the concern is that if even such important systems are easily hacked, what will happen with the many millions of connected devices that comprise IoT?
Today, courtesy of Matthew Garrett‘s twitter feed, I came across a much more detailed look at how a simple, non-threatening (at least in theory) device is can be compromised. The article is invaluable not only because it details vulnerabilities, but also because it helps us understand why such devices are so vulnerable, and points us in a direction to fixing it.
The article, entitled “The many attacks on the Zengge WiFi lightbulbs,” published 20th Dec 2015 by Viktor Stanchev, details his analysis of a commonly sold “smart bulb” that can be controlled via an Android app.
I highly recommend the article for two very different reasons:
- The technical description of the poor security design and why it failed is important for anyone who builds or manages any type of interconnected technology.
- The responsible process Viktor followed in notifying the manufacturer and giving them the opportunity to fix it – the presumption of innocence – stands in stark contrast to the “mob mentality” that often is applied to corporate (and even personal) failings.
The latter point deserves emphasis. I am a firm believer that security failings should be made public, both because the buying public deserves to know weaknesses – many will find methods to mitigate the problems on their own – and because knowledge that your failings become public, leading to potential embarrassment and loss of business, is one of the best incentives for companies to fix their problems quickly.
Nonetheless, there is a crucial difference between publication and crucifixion, as there is between sins of omission or commission on the one hand and honest errors that a company makes and is committed to fixing once aware on the other hand.
Viktor deserves credit both for his honest efforts to help the manufacturer fix the problems and for his willingness to make us, the buying public, aware.
Reading the article, it becomes clear that, for all intents and purposes, the manufacturer embedded basic computer technology in their lightbulb – processor, wifi, router, Web server – to give smart control over the light, but without even any basic security procedures, policies or technologies.
Those of us who have lived in Web or IT for the last few decades look at the behaviour and are astounded. Have they learned nothing from the breaches of the last few decades? Do they lack basic computer security hygiene? How can they possibly expose flashing the firmware or controlling the system without any channel security or identity verification whatsoever?
Yet the answer is rather obvious: no, they have not learned anything because they have not lived where we have lived in technology for the last 20 years. Or the last 10. Or even the last 2.
The companies making smart lightbulbs have extensive expertise in manufacturing dumb lightbulbs. Never before have they needed any knowledge about security and vulnerabilities, surfaces of attack, methods, etc. This is new to them. It is so new, in fact, that they cannot even conceive of it.
Thus, they simply purchase the additional components needed, probably with a contract that says, “give us a basic circuit board of the following dimensions that can provide remote access control with the following inputs and outputs.” They receive it, plug it in, and ship it.
Even much more skilled manufacturers, like GM who made the Jeep above or Airbus or Boeing, have expertise in building cars or airplanes, not connected systems. Like the lightbulb manufacturers, they simply cannot conceive of the vulnerabilities.
Imagine a person person spending their whole life in an idyllic pastoral village, surrounded by community, supported by family and friends. While they lack the opportunities of urban life, they also know nothing of crime beyond petty rivalries.
Suddenly transport that person to the middle of Manhattan, London or Beijing. Not only would they not know to watch out for buses at crosswalks or muggers late at night, they cannot even imagine that those issues exist. The person would be, ironically, a “babe in the woods.”
These companies manufacturing IoT devices are, similarly, babes in the woods. They hail from a world where these concept simply do not exist.
What was the reaction of the airline and airplane manufacturer to the demonstration? They called in the FBI and had the person arrested. That is an excellent way to intimidate researchers; it is a terrible way to find vulnerabilities, of which there undoubtedly are many.
The airline only knew of the hack because the researcher himself tweeted it. A malicious actor will not let them know of their capabilities in advance.
How do we fix a clearly broken and vulnerable situation?:
- Change the Mindset: Until companies manufacturing IoT devices recognize that they now are in the IT business, which includes security, there will be broad insecurity. This, in turn, will not happen until someone serious is breached and pays the price.
- Make it Simple: Security must be purchasable in a simple fashion.
As long as the ratio of systems to engineers was kept reasonably low, the effort to design, manage and monitor secure systems was acceptable. Even today, when you may have 10,000 servers or 100,000 or more containers, they all are deployed on a well-known series of networks in a well-known series of environments. The ratio of configurations or deployment scenarios to administrators and engineers still is low.
With IoT, the number of devices and the number of scenarios grows by orders of magnitude. The current structure of security engineers designing for constrained environments simply doesn’t scale affordably. The companies simply will not pay for it. A smart lightbulb on Alibaba may cost $1.00. If adding security engineers means the cost goes up to $1.20, Zengge will ignore security or get out of the smart lightbulb business altogether.
We of the technology world need to provide an easily packaged security platform for IoT. Make it easy and inexpensive for Zengge to include it as part and parcel of their smart lightbulbs. Let Boeing drop it into place in their 737-MAX and Airbus in their A350, while GM includes it in the Jeep Grand Cherokee.
Inexorably, labour-intensive services are replaced by automation, making them affordable and leading to the growth of new products and services. If we want secure connected devices, from lightbulbs to cars to airplanes, we need to shift from the custom-designed security shop to the off-the-shelf purchasable product or service.
What does an IoT “Secure Package” look like? I am not sure. Part of it – for centrally controlled devices like distributed billboards or road sensors – is a managed service that controls the OS, like resin.io. For the rest, devices distributed, well, everywhere, there is an answer out there waiting.