Friday, October 21, 2016, will likely go down in the history books as a turning point for Internet security. (You may remember it as that day when you couldn’t access Twitter for a few hours and had to actually work for a change!) This was the day when we all got a small taste of the danger posed by the millions of insecure “things” attached to the Internet. This is something I’ve been warning about for years, including at DEF CON 23 and InfoSec Europe.
In reality, the DDoS attack against Dyn is really just the tip of the iceberg with respect to the risks posed by the growing Internet of [Vulnerable] Things (IoT). The published Mirai source code reveals a very simple password-guessing propagation method much like what Carna used to scan the entire IPv4 space in 2012. Primitive as this technique may be, it is in fact quite effective due to the massive number of devices running Telnet with documented (or easy to guess) passwords.
Fortunately, while most IoT gadgets don’t have a good security posture, they also aren’t bad enough to expose Telnet with weak credentials to the Internet. Many (perhaps even most) of the embedded devices marketed to consumers, however, are prone to simple authentication bypass and command injection, making it trivial to install unauthorized software like a botnet agent.
It is entirely possible that the next round of IoT-based botnet attacks could be orders of magnitude larger by taking advantage of vulnerable routers, smart home devices and even cars. While vendors and Internet standard creators naturally have a huge role to play in solving this problem, consumers must also take some personal responsibility for safeguarding the web.
Evaluating the security of IoT devices is non-trivial for advanced users, let alone for the average consumer. But it is important nonetheless.
With December rapidly approaching, it seems like an excellent time to review some steps consumers can take to make a more informed decision about purchasing secure devices. Please have a read and share this advice with your friends and family.
Questions to Ask Before Purchasing a Gadget
- Does the vendor have a formal process for receiving vulnerability reports from researchers?
- Vendors who are committed to security will have a published email address, form, or other process for receiving information about security defects in their products. Searching Google for the brand name plus “report a vulnerability” will usually reveal if a formal reporting policy is in place.
- Does the product have a history of security problems?
- Before using a product, it is worth searching for the product name plus the word ‘vulnerability.’ It is OK to buy and use a product that previously had a vulnerability, but it is important to know that the device maker has fixed the issue and to make sure your device gets updated. A long history of vulnerabilities should be considered as a risk since it could indicate that the designers don’t have a strong grasp of security principals.
- Will the device automatically install updates for security issues?
- Let’s face it, nobody wants to stay on top of seeking out and installing updates for a bunch of different devices. Even tech-savvy users will tend to fall behind on manually installing patches, which is why automatic updating is a key security feature. Searching for the device name and ‘firmware update’ can generally reveal if the product automatically applies updates or if it is up to the user to maintain the latest software. In most cases, if the vendor’s website has a place to download product updates, there is probably no auto-update feature.
- Does the product come with a published default password?
- The use of default passwords is a big pain point for security. Ideally, systems should have a randomly generated default password that is printed on the unit rather than a standard password printed in the manual. While, in most cases, it shouldn’t be a problem to simply change the password, the use of a static default casts doubt on whether other parts of the product are implemented securely. One exception to this is if the manual indicates that you will be forced to select a new password on first use.
- Is the product backed by a well-known brand?
- Although it isn’t always the case, it is more likely to find serious security problems in devices from small companies with little to lose in the form of reputation. Brand name device makers tend to be the opposite, and they are also more likely to release fixes for big security issues, but again, this isn’t always true. That’s because a lot of devices on the market from small unknown firms use untested software components with serious problems and no chance of an update.
What about devices you already own?
- Be sure you are not using any default passwords.
- A number of real-world attacks start with compromised passwords. Published default passwords make it easy for an attacker to compromise devices. Make sure that all of your devices are using custom passwords. Be aware that professional installers will often leave devices unprotected.
- Check your external exposure.
- The easiest devices for attackers to access are the ones exposed directly to the Internet. Services like the org Server Port Test can be used to identify if your Internet connection is exposing access to devices within your home. Ideally, there should be no services running on any ports of your public IP address. This is confirmed in the above test if all rows list “Timed-Out”. If any ports do show that a service is running, it is advisable to check your router for UPnP and NAT settings. A basic way to track down which device is listening is to unplug them one at a time until the test stops reporting an open port.
- Check your internal exposure.
- Many IoT devices run a web server for the purpose of configuration or interoperability. These web interfaces present a big risk because websites are able to relay connections and potentially exploit vulnerabilities. Smartphones are a great tool for port scanning with apps available for both Android and iPhone. In most cases, it is ideal to move devices with exposed web ports onto a guest network provided by your wireless router. This has the advantage of preventing an exploit vector known as cross-site request forgery (CSRF) by blocking access from your web browser to the device. Unfortunately, this is not an option for devices that rely on direct connections rather than relaying connections through a vendor infrastructure.
Taking these suggestions is far from a foolproof way to defend against attacks, but it will go a long way to reducing your exposure. The problem of insecure IoT devices is going to be with us for a long time, and things are unlikely to start getting better until consumers start factoring security into their decision of what to buy.