The Internet is no longer just accessible from your laptop or mobile phone. It’s now part of television sets, baby monitors, ovens and cars. It is increasingly embedded into medical devices and other critical devices. The Internet is everywhere and the Internet of Things (IoT) is a trend that will continue to grow.
Unfortunately this growth in technology is being matched by an equally large growth in security concerns. Just last month multiple presentations at the Black Hat and Defcon security conferences highlighted weaknesses in various IoT devices. Although there has been some additional focus on the challenges of IoT security, such as the OWASP Top 10 for Internet of Things Security, the future is still going to be an uphill battle.
Lack of updates will be IoT’s Achilles heel
An ineffective or nonexistent plan for deploying security updates will be the single largest impediment to security for the Internet of Things. The reality is that vulnerabilities appear in all code from time to time. A solid security lifecycle that considers security throughout design and development will have notably fewer security issues. However, all software manufacturers must be ready to quickly respond to a vulnerability and release a patch to protect their users.
We must learn from past failures
The impact of a poor patching plan can be observed directly today just by looking at iOS and Android. Both of these operating systems made by talented organizations with plenty of security resources, and both of them quickly make patches available when a security issue is found. However, while Apple controls the distribution of patches directly to its users through iOS updates, a patch bound for an Android device must jump through numerous delays by device manufacturers and network operators. As a result, Android devices may not receive critical patches for months or years. And with less than 18 percent of Android devices running the latest Android version, 82 percent of devices are missing key security updates and capabilities.
Today’s incentive model hurts patching of IoT
Let’s imagine a security vulnerability is discovered within an Internet-connected oven, fridge, or baby monitor that you’ve recently purchased. Will a patch be delivered to address the issue? Let’s review the incentive model of the various parties to see how this would play out.
- Wants to make product sales
- Includes Internet connectivity as a feature – not their specialty area
- Concerned with public reviews of the product which drive sales
- Wants the device to work for its primary purpose
- Considers the Internet connectivity as a nice, often secondary, feature
- Majority don’t want to be hassled with “fixing” things
- Want devices under their control for botnets and distributed attacks
- Want to remain hidden and not impact device performance so there is no effort to “fix” the device and eradicate their malware
If we evaluate the above factors, we’ll see that patching vulnerabilities on Internet-connected devices is going to be a very low priority for the manufacturer. The criminal organizations will exploit vulnerabilities present on a wide number of outdated devices. If they’re smart, which they are, the criminal organizations will run their malicious activities in the background without impacting the overall performance of the device. This means the customer won’t notice the malware, and the security vulnerability will have no impact on the customer’s opinion or review of the device. Therefore, if the device reviews aren’t negatively impacted by a security vulnerability, the manufacturer will have few incentives to patch the device.
IoT vulnerabilities have many victims
Although manufacturers may not be rushing to fix these flaws, there is still a lot of damage that will result.
Owners of Internet enabled devices
Customers will lose on the privacy front. Their private data will be monitored and sold without their knowledge. As the IoT expands, this data will become even more personal and will include health data, location and video streams of their house, children, and more.
Applications across the Web
Web applications all across the Internet will also be at risk. Vulnerable Internet-enabled devices will be compromised and added to malicious botnets. These compromised devices will send spam, participate in denial of service attacks, and even harvest and test stolen credentials across the web. The victim websites that are targeted will be unrelated sites and web applications that now must not only defend against malicious attackers but also the ever-expanding botnets of compromised devices from the Internet of Things.
Effective patch deployment is a big problem
The vast majority of device hacks will remain unnoticed and without impact to the device owner. However, some vulnerabilities will be discovered and will be so severe that the public will demand a patch. But how will this play out?
In these situations a manufacturer may scramble to issue a patch. But then what? How is the patch actually delivered to the device? Will all customers be requested to reboot their oven, car, or pacemaker and navigate through an update process? Or will the updated software only be available in the next release of the physical product? This would mean customers would be unpatched until they bought a new toaster, baby monitor, etc. Unfortunately, one of our current challenges with IoT is that, even if a patch is issued, there is not an effective channel to reach the majority of devices in a timely fashion.
How can we do better?
There are two ways the situation can get better.
First, we need to work as consumers to alter the incentive model so manufacturers are inclined to rapidly patch vulnerabilities. This can be accomplished through the wide publication of shortcomings of IoT security via responsible disclosure. It can also be accomplished by clearinghouses of data on IoT security weaknesses. Repeat offenders should be held accountable, and consumers should vote with their wallets. We should also promote positive security approaches that can help build robust and secure Internet-enabled devices.
Second, manufacturers of IoT devices must be prepared for the inevitable security vulnerabilities in their products. They must consider security during design and implementation to avoid obvious security weaknesses. But they must also build in a usable patching model so devices can be upgraded when critical security patches are necessary. This also needs to be nearly seamless to users and an approach that can reach a very high percentage of devices.
The Internet of Things will quickly envelope our way of life. If we’ve learned anything from the last decades of the Internet and computer security it’s that we should be proactive in our security planning. We can’t plan for every new vulnerability or weakness. But we must design Internet-enabled devices with the ability to deploy new code quickly in the name of securing users, data, and the web at large. Otherwise the Internet of Things could turn into the Internet of botnets.
Michael Coates is director of product security at Shape Security and chair of open software security community OWASP.