Is the Toaster a Back Door to Your Network? – The IoT, Security and IP EXPO

So
what did I take from IPEXPO this year?

Firstly,
that Excel is miles away from Paddington. So far in fact that I was trying to
find the sleeper cabin on the Jubilee line! But seriously speaking, the most engaging
content of the show for me was all related to Security, and more specifically, how
the IoT is impacting Security.

The IoT – Internet of
Things.

Firstly I’d like to clarify what this new buzzword is, as every vendor now seems
to have some tenuous link to an “IoT strategy”. It’s everywhere at the moment,
and the IoT bandwagon attempts have been even more blatant than the laughable efforts
of some vendor’s marketing teams to force an alignment with an SDN strategy.

Simply put, IoT means lots of devices
connected to the Internet.

Not
quite so ground breaking as we’ve been led to believe, but we mean LOTS of
devices… billions… in fact Gartner estimates that by the end of last year,
there were 3.8 billion connected things out there. And by devices we don’t just mean computers,
phones, tablets etc. We mean washing machines, toasters, kettles, millions of
environmental sensors measuring stuff from temperature to carbon monoxide and
even sex toys! And yes, we should continue to question the real end-user value
of having an internet connected toaster. Haters will say it’s totally pointless
and they could well be right, but let’s not forget that many doubters said the
same thing about the Internet in the early days.

The
continuing popularity of the IoT inevitably means that thousands of new vendors
will emerge, building some Internet connected device together with some app to
do something cool (or not so cool) and helpful (or not so helpful).

So
where does Security come into play?
Think about an everyday scenario of deploying one of these new gadgets. Excited
by the prospect of unleashing our latest toy, we’ll rip open the box and in a
hurried rush to get it on the Net, we’ll Bluetooth connect to it (probably
using 0000 or 1234 as the pin), stick in the wireless password and hey presto
we can now talk to it. (That’s having registered all our details with the
vendor online of course). The
slick graphical app and the amazing branding will give us confidence it’s a
quality product.

In
reality though, we’ve just destroyed our home network security model. Why? Well
if you were to talk about security you would probably assume that having a Router
/ Firewall makes you secure. (Assuming
of course that your password is not the name of your pet / girlfriend / boyfriend
or worse still, left as the default!)

Let’s
make some semi-reasonable assumptions that security companies know more about
security than “toy” makers. So if someone wanted to hack your home network
maybe attacking the toasters and other IoT toys / devices is an easier ‘in’ than
the Firewall.

Ethical
hacker Ken Munro of
Pen Test Partners published a great example
of this type of vulnerability.

He
hacked a child’s doll that stored the Wi-Fi key in plain text. He was able extract
the key and gain access to the wireless network. Once a hacker is on the
network, they can pretty much do what they want.

You
might be sat reading this feeling pretty safe because you don’t have a lot of
Internet connected devices, well don’t. Munro also discovered vulnerabilities
in mainstream devices, including the voice remote on a Samsung TV that actually
records your conversations. If that’s not shocking enough, how about sending
that voice conversation across the network unencrypted?

So
what’s the answer?

Firstly
it’s got to be about education. Consumers need to understand that every device
they connect to their network, no matter how small, is a potential security
risk. They need to seek some assurance that the device is “secure,” (ideally
independently tested) or at least demonstrate that security has been a serious
consideration in the design and architecture.

Vendors
need to take security, especially in the consumer domestic space, more
seriously. Devices and applications need to be based on designs where a decent
security and privacy model is inherent, not an afterthought.

Whilst
we are at it, it’s worth mentioning that this is NOT hard. IoT vendors are not
expected to invent new ground-breaking security protocols here!

Let’s
start with some basics.

  • All communication should be secure – Why not just use SSL?
  • Locally stored data should be encrypted
  • Default passwords should always be changed (nothing new here)
  • Ensure local code is obfuscated
  • Don’t collect/store data unless it’s essential for the function of the
    device

The
IoT is massively exciting and has the power to positively enhance the way in
which we live our lives, from small domestic efficiencies, right through to
grand industry changing solutions. It is certainly easy to get wrapped up in
the hype of the ‘anything is possible’, but in order for us to safely draw the
benefit of such intelligent technologies, we must go back to basics and ground
our innovation in security.

About Donna Toomey