Perilous gadgets
Perilous gadgets
Together with cloud technologies, Big Data, mining and other blockchain stuff, the Internet of Things broke into the vocabulary of a modern man. Though individually each word does not present problems, together they form something that even hardboiled analysts cannot explain.
And there are no ifs ands or buts about it. Despite the common use of a generally accepted term, there is no exact explanation of IOT.
IDC says one thing, Gartner says another. And what about users? For the most part, they don't care, they just need comfort. But comfort and safety, as a rule, are mutually exclusive things. In general, an IOT means a smart gadget.
Anything can be smart now. But what about security?
Only rumors, but nothing confirmed
Only five years ago, security incidents were still not widespread and were more like random vandalism. Something happened somewhere to someone. For example, there was an incident in Kentucky, when an unknown person connected to a video baby monitor installed in a baby's room and tried to wake up the baby at night with screaming.
When the baby's father entered the room and stood in front of the camera, the attacker started insulting him and did not stop until the device was disconnected from the network.
However, with the increase of devices connected to the internet, criminal elements become more interested in them. For example, printers are targeted to make shocking statements.
On 24 March 2016, Andrew Auernheimer attacked thousands of printers connected to the Internet and located in the United States and Australia. The hacker found vulnerable devices with the help of the Shodan search engine and the masscan scanner: the port 9100 was opened on all the printers. After compiling a list of vulnerable devices, Auernheimer made the machines print anti-Semitic fliers advertising an ultranationalist website.
Andrew's experiments find fans even these days. At the end of November 2018, one of the fans of the YouTube blogger PewDiePie made a similar attack on printers, sending fliers to print to support their idol.
Finally, you cannot ignore a high-profile case of the Mirai botnet. It gained serious notoriety in 2016 after unprecedented DDoS attacks. However, it was not so much about the intensity of the attacks (reaching 620 Gb/s), but the fact that the botnet consisted of IOT-devices (DVRs, surveillance cameras, etc.).
Another important aspect that should not be underestimated is that smart devices basically are micro-PCs that work completely autonomously and with a full-fledged independent OS. That is a vulnerable point of entry into a corporate or personal network, full of other devices, authorisation accounts, confidential information and payment details. The presence of such an unprotected device on an enterprise network can negate all the expenses on a secure IT perimeter.
Everybody is being watched
Let's be frank, the cases described above are not of a much interest for an average person, because something bad didn't happen to him/her personally. Yes, a piece of paper was printed in an office but not at home. And not everyone has home security cameras.
Another example is a fitness tracker usage. Luckily, a healthy lifestyle is in fashion today. There are many models in the market, and buyers are attracted to low prices. Why not to buy them? But who will think of data protection? It began with the Strava fitness app, which exposed users' data including staff at military bases. Surprisingly, manufacturers do not learn from the mistakes of others, and you can find even more personal data leaked by the Polar Flow app.
You may not be interested in the privacy of soldiers and athletes, but would you say the same about children? The desire to protect them is natural. There are devices specially designed for this purpose such as smart watches for children, which, however, can cause an opposite effect to the desired one, making them totally vulnerable. Since anyone can obtain information about the owner of a device and in addition information about his/her child:
• Name
• Date of birth
• Height
• Weight
• What school he/she attends
• Phone number
• Parent's email
• Child photo
• GPS Coordinates
Many examples can be given, but the point is that most users experience a false sense of security or illusion of safety.
Who is guilty?
We want to blame someone, for example, advertisers, manufacturers, hackers, etc. However, it is only part of the truth. Consumers also have responsibility.
People are to blame for:
1. Negligence. In Video BabySitter case, the users did not change the factory password (admin), or they used obvious and weak password (0000, 1234). The same thing happened to the printers, the vulnerable port wasn't closed.
2. Excessive gullibility. Even if a manufacturer claims to be concerned about safety, this is not a reason to believe it blindly. There are many examples of incidents with children's smartwatches on mass media.
Manufacturers are to blame for
1. Solving security problems using insufficient means.
2. Default passwords on devices that are too weak and easy to compromise.
3. Not willing to see problems and solve them when appropriate.
4. Fix problems only on new devices, without releasing updates for previous versions. Therefore, users are pushed to additional purchases.
Regulators are also to blame. Because they are the ones who can really get things going.
What are the perspectives?
To mitigate the disorder in the industry, regulators have to work on improving laws to simplify both the production process and the data collection, as well as the subsequent monetisation.
The task is big and ambitious, so it was decided to move step by step. In late 2018, in California, SB-327 was approved, but it will come into force on January 1, 2020. Within the law, everything is stated in a very concise manner. Each manufacturer of IOT devices must provide their devices with the "proper protection". The degree of protection depends on the function of a device and the information it uses and transmits.
The law does not say what the "proper protection" implies, but the requirements for authentication mechanisms are spelled out. If a connected device has access to the Internet, then its authentication system must satisfy one of the two criteria.
The first is that the manufacturer creates unique combinations of username and password for each device. The second – the developer obliges the buyer to change the standard factory data to enter when you first use the equipment.
Well, as they say, something is better than nothing.
The British went further and presented a more advanced manual. The document is intended for the manufacturers of IOT devices like locks for intelligent doors, alarm systems, security cameras, toys, etc.
The manual describes thirteen different measures that will allow manufacturers to protect their products.
Among other things, the authors of the document recommend that manufacturers ensure reliable storage of user data, regular software updates, simplification of the data deletion process, adoption of policies to signal vulnerabilities, etc.
Risk mitigation measures should be taken anyway!
Speaking about the users, they can either endure the leak of everything without knowing where the leaked data will end up or try to disable some functions and use a device with limited features.
By Alexei Parfentiev, Leading Analyst at SearchInform.