by Dylan Davis and Sean Dillon
Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices can provide great value by handling tasks with precision, consistency, and accountability that can never be achieved by human labor. Unfortunately, these devices can also create huge risk; they are often susceptible to numerous categories of security vulnerabilities and consequently attacked by hackers. As shown by incidents such as the Mirai botnet seizing control of devices at over 100,000 IP addresses and Ukrainian power infrastructure being remotely disabled by hackers in December 2015, devices will be hacked if they are not secured.
A Problem of Incentives
In new IoT deployments, risk is often an invisible and uncounted factor in the tradeoff between security and functionality. The positive impact of IoT deployments are often realized immediately upon device installation, whereas the negative impact can hide unobserved for years until it manifests all at once in the form of a compromise event.
Because IoT deployment is new to most organizations, the costs of a compromise event are unprecedented and almost impossible to estimate. Even when prevention is unambiguously cheaper than cure per unit, nobody knows how much cure will be needed. Because organizations don’t know how highly to prioritize prevention, it is left to “best effort” attempts by IT staff who often have no specific security training.
This paradigm where risk is neglected because it is difficult to quantify applies even more seriously to IoT vendors. While vendors have a much greater ability to reduce risk by creating devices that are “secure by design,” they also have much lower incentive to do so, as vendors do not directly bear the costs of compromises that occur through their devices.
The clearest case study of this problem of incentives comes in the form of the most universal and critical vulnerability in IoT: default credentials. This is a problem that can be solved in two places: at the branches (by organizations changing credentials as they deploy each device) or at the root (by vendors manufacturing devices with pre-randomized passwords and distributing the passwords along with the devices).
Unfortunately, as the continued prevalence of attacks and malware that use default credentials as an entry vector shows, this problem is all too frequently not addressed at either location.
In some cases, credentials cannot be changed at all through supplied user interfaces. A device may also have trivially discovered backdoor credentials that are hardcoded into its firmware, perhaps in an attempt to speed up development time and reduce vendor costs. These scenarios present the problem where a device is in both an unfixable and vulnerable state. If the device serves a business critical function, it will require outside mitigating controls to allow for safe continued use.
A Topological Perspective on IoT Security
One of the key points of value provided by IoT and IIoT is the ability to access and control devices from remote locations.
Fundamentally, there only a few ways this effect can be achieved:
- The device is placed directly on the Internet.
- The device connects to an intermediary server that relays data back-and-forth.
- The device is accessed over a VPN.
The most functional, cheapest, and easiest option among these is also the most dangerous: placing devices on the Internet has no complicated initial setup overhead and requires no additional resources beyond the ones used to achieve functionality.
When a device is placed directly on the Internet, this ensures that anyone with knowledge of a vulnerability in it has the opportunity to exploit it. Public-facing devices create a huge problem of incentives; compromising a small number of devices is rarely worth the effort for attackers. But for devices that are directly connected to the Internet, compromising one device is the same effort as compromising thousands.
Many devices allow remote access without requiring any networking setup by relaying data through a vendor-controlled server. This approach is particularly common for device categories that only handle small amounts of data (e.g., fitness trackers, smart scales, lightbulbs, and thermostats).
This method is often not used for camera systems because the high bandwidth requirements of cameras would result in significant extra expense for vendors to operate relay servers. A middle-ground approach is sometimes used where devices collaborate with a central server not to actually relay data but rather to allow outside users to establish connections to devices using a set of techniques known as “hole punching”.
Functionally, hole punching is often equivalent to placing devices directly on the Internet but can be particularly dangerous, as users are likely to not realize that the device is capable of accepting inbound connections from the Internet.
Vendor-controlled servers can reduce the risk of compromise relative to Internet-facing devices by ensuring that attackers are not able to directly detect or connect to devices to attempt exploitation. However, this approach creates some additional privacy and security concerns because device data is available to and controlled by device vendors. This can result in massive data exposure if a centralized breach occurs at a vendor. Notably, the CloudPets “smart toys” were subject to a vendor-based data breach that exposed the data of over 800,000 users.
Finally, the most secure topology for IoT and IIoT devices is one where connectivity to devices is controlled by a non-IoT access control mechanism (i.e., a Virtual Private Network). This requires the most up-front configuration of any of the other topologies because creating and operating a VPN is a full-sized task separate from and in addition to IoT deployment. This introduces a technical skill requirement that is often an impractical amount of additional effort for home users of IoT devices.
For business organizations with any significant IT footprint and business need for remote access, operating and maintaining a VPN is a pre-existing necessity and not actually an extra cost on IoT deployment. In these cases, the chief obstacle to topologically secure IoT deployment is configuration.
Because home users are unlikely to use a VPN and vendors often seek to sell the same product to both home users and business organizations, products are not generally designed to be used primarily with VPNs. This means that most IoT deployments must involve additional time and effort identifying what steps must be taken to enable the full functionality of devices in a secure topology.
Unfortunately, the state of IoT and IIoT devices is such that topological isolation is the only consistent and reliable way to prevent device compromise. Critical vulnerabilities in all types of IoT devices are discovered and publicly disclosed on a regular basis. While best practices for IT at large include frequently applying software updates to ensure that well-known vulnerabilities cannot be exploited, in practice it is often true that IoT vendors will fail to provide patches even for vulnerabilities that are being widely exploited. Many IoT devices lack even the most basic ability to receive and apply updates.
Because IoT devices are so widely vulnerable and extremely impractical to secure on a per-device basis, topological access control is a currently a necessity for any organization that intends to avoid compromise before it occurs.
The Future of IoT Security
There may yet be hope for more devices to be “secure by design” in the future. The Internet of Things Cyber Improvement Act of 2017 is a bill introduced into the United States Senate that proposes a minimum standard of security for devices to qualify for federal procurement, including:
- Devices must be able to accept software updates.
- Vendors must provide timely updates to resolve security vulnerabilities.
- Devices must not use hard-coded passwords.
As more organizations set purchasing standards for device security, more vendors will invest in security during product development. While the proposed standards for US government purchasing have not yet been finalized or enacted, they provide a good framework for evaluating potential purchases for any organization.
Purchasing standards may, over time, provide effective incentives for device manufacturers to include security in product design. However, until IoT devices are designed with security as primary concern from early product development, the only reliable way to prevent device compromise is to use network topology to stop attackers from interacting with the devices altogether.
Dylan Davis Sean Dillon are senior security analysts at RiskSense.
