IoT: A Cause for Celebration and Precaution
While it’s not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected.
Are you familiar with the Carna Botnet? If not, you really should be. Back in 2012, an anonymous hacker set out to "measure" the Internet in a survey entitled The Internet Census of 2012. Enlisting the Nmap Scripting Engine, every publically addressable IP address was scanned with the goal of finding just what was out there. More importantly, the census wanted to learn how many of those devices were unprotected. Sadly, it found a lot of them.
While quite a few of the discovered devices were consumer-grade, many were IPsec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment, and so on. Finding these enterprise devices was not surprising, but far too many were still configured to accept default login credentials such as root/root and admin/admin. Ultimately, approximately 420,000 unprotected devices were discovered and the hacker was able to load scanning code onto them that allowed him or her to essentially probe the entire Internet.
Thankfully, the hacker's intentions were focused on research rather than harm, but discovering that many vulnerable devices is extremely alarming. If a so-called benevolent hacker can easily find and use them for fairly benign purposes, less scrupulous people will be next in line with far more nefarious intentions.What Will You Find in Your Stocking
Christmas is just around the corner, and I expect that quite a few of us will receive one or more gifts that require an IP address. Personally, I am hoping for one of those wearable fitness devices. As a geek who likes to stay physically active, I could really get into electronically tracking my workouts, footsteps, and heartbeat.
Less health-minded folks are hoping Santa will bring Internet connected lightbulbs, TVs, or refrigerators. Opening up the latest Best Buy flier, I see page after page of affordable smart devices. From Wi-Fi cameras to Web-connected security alarms, we are awash in IoT (Internet of Things) appliances and toys.
The OpenDNS 2015 Internet of Things Enterprise Report categorizes the kinds of IoT devices prevalent today as follows:
- Personal Electronics
- Consumer Appliances
- Large Appliances
- Small Appliances
- Home / Office Automation
- External Home / Office
- Power Management
- Security and Monitoring
- Audio / Visual
- Physical Locks
- Alarm System
- Environmental Monitors
- IoT Management Platforms
While it's not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected. Every on-line device is yet another place where personal information can be compromised and exploited. Each IP address is another access point hackers can and will attack.
Consider devices as seemingly innocuous as IoT garage doors, thermostats, and lighting systems. Left unsecured, these devices can be monitored to discover a homeowner's home and away patterns. Data from lighting systems can be used to plan break-ins and robberies will be facilitated by nefariously opening garage doors. Unprotected security systems can be turned off and surveillance cameras disabled.
Additionally, unsecure devices enable hackers to perform data mining and learn information that can be used to attack us elsewhere. That wearable health monitoring device I want to find under the Christmas tree will gather information about me that I am not inclined to share with strangers. Even more harm can occur with devices that actually control a person's health. For example, a drug dispensing system can be told to deliver incorrect dosages.
For those of you who feel I am being Chicken Little and shouting "The sky is falling," the FBI recently issued a public service announcement that warned of all these potential problems and issued the following defense recommendations:
- Isolate IoT devices on their own protected networks.
- Disable UPnP on routers.
- Consider whether IoT devices are ideal for their intended purpose.
- Purchase IoT devices from manufacturers with a track record of providing secure devices.
- When available, update IoT devices with security patches.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Use current best practices when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
- Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor.
- Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.
While little of the above should be unfamiliar to No Jitter readers, it's unfortunate how many of the recommendations are not followed. Some of this is due to ignorance, but much is simply because folks are too lazy to do the necessary work to build secure configurations. While I am not sure which of the two is easier to fix, unless they are addressed, hackers will have a field day as IoT devices become commonplace.Ho, Ho, Ho
I am the last person to play Grinch when it comes to new and exciting technologies, but I am the first to say that security should be factored into every new toy, gadget, and service. IoT will revolutionize our world, and it won't be too long before everything from toasters to electric shavers will have an IP address and connect to some form of network. Done properly, this is a wonderful thing. Done haphazardly and we are willingly inviting trouble into our lives.
In closing, I would like to quote the anonymous Carna Botnet hacker:
A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody," there are at least 1,000 people who did. Whenever you think "that shouldn't be on the Internet, but will probably be found a few times," it's there a few hundred thousand times. Like half a million printers, or a million Webcams, or devices that have root as a root password.
Enough said. Happy holidays, everyone!
Andrew Prokop writes about all things unified communications on his popular blog, SIP Adventures.
See Andrew Prokop at Enterprise Connect 2016, taking place March 7-10 at the Garlord Palms in Orlando, Fla. Register now to take advantage of reduced rates. Use the code NJPOST to receive $200 off the current conference price.