The times, they are a-changing
Until last Friday, Internet of Things (IoT) cyber attacks were largely more theoretical than practical, at least for those outside of the cybersecurity research realm. When Reddit, Twitter, Netflix, Spotify, and PayPal, among others, were taken offline or significantly slowed due to a massive distributed denial of service (DDoS) attack last week, consumers and enterprises alike had the chance to see firsthand how shoddily-manufactured internet-connected devices can be a real threat. IoT exploits quickly went from the lab into consumers’ homes, which is no big surprise to security practitioners who’ve long been advocating the need for a more rigorous cybersecurity supply chain.
For its part, Chinese components manufacturer, Hangzhou Xiongmai, recalled on Monday vulnerable webcams and DVRs which contributed to the facilitation of the DDoS attack. Along with the recall the company issued a statement on its microblog acknowledging that weak default passwords on the devices made them vulnerable to the Mirai malware which had been circulating widely after its supposed author released the source code earlier in the month. Further, the company also seemed to suggest that users were at fault for the attack because the default passwords had not been changed after the devices has been purchased and implemented in consumers’ homes. The company then delved into the slightly strange by stating, “Xiongmai is not afraid to experience [security issues] once, too.”
And admit that the waters around you have grown
Blaming users and the “inevitability” of a cyber attack are very convenient ways to excuse lazy manufacturing. The fact of the matter is, though, that companies developing products that are or can be internet connected have a responsibility to create products free of fundamental security flaws. The internet and its dangers are not new concepts, and any company that is capable is taking advantage of the ability to include IoT features. With product development comes a responsibility for reliable, trustworthy shipped products. As it relates to IoT, that means hiring developers and security experts who are knowledgeable about and capable of producing products that are, minimally, hardened against the most basic security flaws. It also means providing buyers/users clear, easy to follow instructions when (or if) security precautions fall into their hands.
Let’s say, theoretically, that Xiongmai shipped cameras and recording devices to consumers with explicit instructions, explaining that failing to change the default password on the purchased device renders it vulnerable to a cyber attack (or eavesdropping or some other more personal breach of privacy that matters to consumers). We see this in enterprises, right? When a new employee joins the organization, she/he is set up with email and applications, and upon initial login, a message from IT/security appears and the user is forced to change the default password. Easy peasy and familiar to nearly all internet users in this day and age.
In the case of the Xiongmai components, it’s not clear that most users even knew a default password existed, plus updating the password is not feasible for average consumers. The hacked device passwords are hardcoded into the firmware, which makes the company’s denial of responsibility even more egregious. A regular user can be asked to login to his or her email or online banking account, click on “user settings,” and move through the “security settings” menu until the password is updated to something reasonably long and complex. Updating a password on firmware is something else.
The company claims it patched its products back in 2015 and current devices now force users to update passwords upon initial boot. According to Level 3 Communications, however, more than 500,000 in-use devices are still vulnerable.
If your time to you is worth savin’
Manufacturers will continue to push IoT devices with poor security until they’re forced to invest in better processes. In the minds of consumers, last week’s outage is in the past—services are back up and functioning properly. Will further outages (which are likely) cause consumers to rise up and demand better cybersecurity? Not likely. Did stolen credit card information result in Target or Home Depot shutting their doors? Chris Poulin, IoT security expert, says responsibility is shared among consumers and enterprises (e.g., changing default passwords, not exposing IoT devices directly to the internet, and disabling remote management), but also manufacturers. “For makers,” he says, “don't enable default accounts and passwords; don't enable the device until users set them up and choose an appropriately difficult password; and never, ever embed a vendor management account!”
Then you better start swimmin’ or you’ll sink like a stone
While consumers have a role to play, it’s principally up to security practitioners—trained experts—who understand that the dangers of hacked IoT devices are more critical than a momentary break in internet service. Groups like I Am the Cavalry, the Cyber Statecraft Initiative at The Atlantic Council, IBM-X-Force Research, and the European Research Cluster on the Internet of Things are examples of organized efforts at changing how device manufacturers look at security. That said, a limited number of organizations (albeit with more emerging every day) can’t affect change in the same way that an entire community can. It’s not about talking to other security professionals at this point; security practitioners need to get out and start pushing developers and manufacturers for higher security standards and greater accountability. Here at MISTI we love conferences, but “preaching to the choir” isn’t the next best step in the case of IoT. Non-security companies, and especially manufacturers—whether they produce components or fully baked products—need heightened awareness, and it’s up to security practitioners to deliver the message loud and clear.