The security implications of devices connecting and sharing data
I received a request from a student for commentary relevant to his final project on ‘Botnets and the Internet of Everything’, asking what risks botnets pose for the devices (cars, watches, TVs) it includes, in terms of payload and ability to spread.
He quoted an estimate that in 2020 there will be around 50 billion devices forming part of the Internet of Everything (IoE), and another estimate that right now, 75% of IoE devices do not conform to good security practices. How well are these figures likely to reflect the situation in 2020, and what is the impact of IoE botnets likely to be?
These are interesting questions. In fact, even as I was putting the last touches to this article, an article on the Talos blog made it very clear that the risk from IoT malware is far from hypothetical. Talos estimates that at least 500,000 networking devices in at least 54 countries have been compromised.
I may return to IoT- and IoE-related issues in a longer article in due course, but in the meantime, here is a slightly expanded version of my response.
We hear a lot about the Internet of Things (IoT), but not so much about the Internet of Everything, which might be described (and indeed often is) as a superset of the IoT. My understanding that it consists not only of the interconnected devices that make up the IoT, but also includes the people who benefit (or hope to benefit) from that interconnection, the data that are shared across those connections, and the processes by which information derived from those data are delivered to where they should be. Well, that’s the theory.
Like everyone else in the security industry, I’m concerned about the implications of (non-)security in devices that are included in both these categories. Indeed, I have been for a long time.
The bioinformatic imperative
In the 1980s through to the early 2000s I worked in bioinformatics, though on the side of system support and security rather than being directly concerned with the manipulation of biological data. Although the term IoT wasn’t heard much (if at all) then (and the term IoE even less), it was already hardly possible to work effectively in bioinformatics without being aware of the risks of compromise posed to (or by way of) medical devices. (The risks incurred by reliance on more obvious resources such as servers and network devices were already reasonably well understood, if not always adequately addressed, then or now.)
The first time I remember hearing about what would later be known as the Internet of Things was probably a reference to the by-then-legendary ‘Internet Coke Machine‘ of 1982, but I don’t remember fretting about its security implications. After all, the status of a vending machine in Pittsburgh had little impact on a medical research facility over 3,700 miles away in London.
However, computing and my own career have both undergone many changes since I first sat at a computer keyboard in 1986, or even in the 1990s, when my job title first changed to include the word ‘security’, and nowadays I suppose I see security issues everywhere. (If only I saw as many decisive solutions to security issues!)
My current concerns basically arise from the expansion of the IoT attack surface through (1) the addition of internet connectivity to objects that don’t necessarily need to be connected (2) the fact that such connectivity has been implemented by groups with little understanding or experience of internet security and privacy (3) the ‘rush to market’ and competitive pricing pressures that put the technical and psychosocial aspects of security so far into the shade as to be effectively invisible. Consider, for instance, the ill-considered addition of connectivity to so many toys and games.
Ifs and bots
I’m less concerned (right now, at any rate) with the specific risk from botnets, though that doesn’t mean there is no risk. We’ve already seen it encapsulated in the use of the Mirai and BASHLITE botnets to implement DDoS attacks. In principle, DDoS is very ‘suitable’ for an IoT botnet because it tends not to demand much in the way of operational functionality from the recruited device. On the other hand, the more features a device’s underlying operating system has – especially if the OS is fully implemented (e.g. Linux, Android) – the wider the range of attacks that might be possible using a network of compromised devices.
There are mitigating factors: some devices implement only the smallest necessary subset of functions; some are regularly patched (or at least patches are made available); some have a proprietary operating system that is less likely to attract the attention of the hacking fraternity, except maybe those black hats who are very specialized – not that I’m advocating that anyone rely on security through obscurity. What’s more, while Windows is less of a monoculture than is often assumed, out in the world of ‘smart’ devices and connected-but-not-all-that-smart devices, monoculture may be even less of an aid to the bad guys. There may be a wide range of devices doing much the same job, and they certainly won’t all be running Windows®. But then, the ancient myth that security flaws are the exclusive property of Microsoft operating systems and applications is no truer in the IoT context than it is elsewhere. Talos reports that the family of malware that ESET detects as Linux/VPNFilter.* is affecting network devices from “…Linksys, MikroTik, NETGEAR and TP-Link” as well as “QNAP network-attached storage (NAS) devices.”
Data versus devices
Here’s a slightly edited excerpt from my article in ESET’s 2018 Trends Report. There may well be other useful commentary in there, of course, if you’re looking for similar content and opinions.
Looking at attacks on smartphones and other mobile devices, these tend to be less focused on data and more on denying the use of the device and the services it facilitates. Which is quite bad enough where the alternative to paying the ransom may be to lose settings and other data, especially as more people have come to use mobile devices in preference to personal computers and even laptops, so that a wider range of data might be threatened.
As the Internet of Unnecessarily Networked Things becomes less avoidable, the attack surface increases, with networked devices and sensors embedded into unexpected items and contexts: from routers to fridges to smart meters, from TVs to toys, from power stations to pacemakers to petrol stations. As everything gets ‘smarter’, the number of services that might be disrupted by malware (whether or not a ransom is demanded) becomes greater.
In previous years we’ve discussed the possibilities of what my colleague Stephen Cobb calls the Ransomware of Things. There are fewer in-the-wild examples to date of such threats than you might expect, given the attention they attract. That could easily change, though, especially if more conventional ransomware becomes less effective as a means of making a quick buck. Though I’m not sure that’s going to happen for a while…
On the other hand, there’s not much indication that Internet of Things security is keeping pace with IoT growth. We are already seeing plenty of hacker interest in the monetization of IoT insecurity. It’s not as simple as the media sometimes assume to write and distribute malware that will affect a wide range of IoT devices and beyond, so there’s no cause for panic, but we shouldn’t underestimate the digital underworld’s tenacity and ability to come up with surprising twists.
Dinosaurs in Tomorrow’s World
And here – since I haven’t changed my opinion much in the interim – is a lengthy quote from an article I wrote for ITSecurity UK a couple of years ago.
I don’t know how many people have internet-connected fridges, lighting systems and televisions, but I don’t … It’s not just a matter of my being afflicted with the characteristic paranoia of the old-school security researcher. Well, not entirely. I won’t be connecting anything to my own networks that doesn’t need to be connected to function, and part of that is normal caution. I don’t particularly want to have to worry about whether my doorbell might give away my WiFi password. But the fact is, a smart doorbell or a connected kitchen appliance simply doesn’t meet any need I have right now, so I’m not going to pay extra for that functionality … personally I’m quite happy to live in Today’s World rather than Tomorrow’s. Though sometimes I wouldn’t mind going back to Yesterday’s.
But we dinosaurs do worry about a time … when we don’t have a choice about whether our devices are connected, as may already be starting to happen with TVs, for instance. Will we be able to choose whether we enable that connectivity? And … the number of people currently affected by real-world vulnerabilities may be far smaller than the PR avalanches indicate. But … IoT ‘represents an ever-widening attack surface.’ And if you’re one of a relatively small segment of the population affected by a vulnerability in a medical device, for example, you may not be reassured by the fact that it won’t affect most people. And as my colleague Pablo Ramos has pointed out, IoT is an issue that is likely to extend beyond the home and into the workplace. But maybe not immediately.
However, Nick FitzGerald, my colleague at ESET, points out that 5G is being developed and positioned in such a way that it’s not going to be possible indefinitely to avoid 5G “connected” devices. He believes that persistent 5G will be embedded into nearly everything that runs on or generates electricity, probably with no means of disabling it.
How much should we worry about this? Well, it’s an evolution of how things are at the moment, in a world where tracking by Cookie Monster is the lifeblood of the internet retail industry and social media (in some respects the same thing). Electronic appliance manufacturers will not be reluctant to take advantage of the control and monitoring opportunities offered by mandatory interconnectivity, comparable to that already enjoyed by major service providers through software and consumer electronics such as entertainment, communications and productivity devices. In essence, this trend further facilitates the extension of these opportunities from ‘brown goods’ to ‘white goods’ (aids to housekeeping such as dishwashers and refrigerators).
You may not be too concerned about the possibility that your kettle or light-fixtures may compromise your privacy, but consider this. When the internet was a playground for the State and academia, security breaches had comparatively little impact on the rest of the world. As interconnectivity spread to commercial enterprises and trickled down to small businesses and home users, the threat surface increased dramatically. While corporates are likely to have access to some in-house or outsourced security knowledge, this was (and still is) less likely to be the case for SMBs, sole proprietors, and private individuals using home networks. As home users have moved away from old-school home computers (in the sense of desktops and laptops) to handheld devices, we’ve seen more and more reliance on those devices for sensitive transactions. Yet those transactions are by no means always adequately and universally protected by the services and systems that support them. In a 5G world, the attack surface will increase dramatically, and I don’t envisage a correspondingly dramatic rise in standards of security and privacy, or in the general level of customer understanding of the risks.
Right now, it’s still possible (though not always easy) to do your shopping and banking in the real world rather than online. And you still have the option in many cases of avoiding unnecessary or unsafe connectivity. But for how long?
In view of the current issues with routers vulnerable to the VPNFilter malware, here a few ESET links with information from Stephen Cobb that seems particularly relevant right now.
Stephen Cobb: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”
Stephen Cobb: VPNFilter update: More bad news for routers
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”
You can find these and many more links about the Internet of (not always necessary) things on an AVIEN page here.
Here are a few other relevant articles from WeLiveSecurity. I’m not, of course, suggesting that we’re the only possible source of such information. It’s just that I knew where to look on the site.
Michael Aguilar: The Hive Mind: When IoT devices go rogue
Peter Stancik: At least 15% of home routers are unsecured
Stephen Cobb: 10 things to know about the October 21 IoT DDoS attacks
Michal Malik and Marc-Etienne M.Léveillé: Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices
ESET researchers: Trends 2017: security held ransom
Tony Anscombe et al: IoT and privacy by design in the smart home
My thanks to Nick FitzGerald and Bruce P. Burrell for their sanity checking of this article, and for contributing their thoughts on IoT issues.