When it comes to security, owning a smart device requires smart buyers. Now, more than ever before.
Symantec’s 2018 Internet Security Threat Report recently pointed out a 600% increase in attacks against smart devices in the last year. Those all-caps findings underscored the danger of failing to adequately consider the security implications of installing smart devices in homes and offices. The problem is that many customers are assuming they’re protected when they are at risk.
The failure to do the necessary homework essentially issues an open-door invitation for an attacker to plant malware, commit fraud, or commit identity theft using private information.
“Today, users have to take responsibility to make sure a smart device is securely configured,” said Bruce McCorkendale, VP, Technology at Symantec. “Most devices are not secure out of the box. It is important for a user to know the vulnerabilities of each smart device purchased. Then the user can decide to patch the vulnerabilities, if possible, or buy a device from a different vendor.”
McCorkendale said users can educate themselves about the risks posed by smart devices by consulting sites such as Shodan.io and the Common Vulnerabilities and Exposures (CVE). Shodan.io features an automatically generated list of devices that have been discovered on the Internet. With the CVE database, you can look up vulnerability information on a device. Using both sites, users can check whether their devices are visible to the Internet. They also can learn about any security holes that need to be patched and then take the necessary action.
Routers are the IoT devices that suffer the highest volume of attacks. Because routers are the gateway for smart devices to connect with the Internet, compromising a router means gaining access to every unsecure device that uses it.
Unfortunately, there are no state secrets here and cyber criminals also make use of Shodan.io and CVE to finds devices that are online and discover the vulnerabilities they can exploit by connecting to the device. Indeed, plans for a US Air Force drone were reportedly put up for sale on the dark web after hackers found vulnerabilities in the routers used by the military on Shodan.io.
Unfortunately, the solutions for securing IoT devices are as varied as the devices themselves.
The recommended recourse for users is to buy devices that are known to have security built in and that sit on frameworks that are also secure. Look for vendors that have frameworks which use certificate pinning – allowing only HTTPS-related certificates it expects to see before connecting to anything in the framework. Yet zero-day attacks still can happen and, as seen on the Shodan.io and CVE sites, the list of high-volume vulnerabilities constantly increases.
McCorkendale believes the answers to IoT security lie in Manufacture Usage Description (MUD) and secure routers like Norton Core. Manufacture Usage Description is an open source “nutrition label” for IoT devices. If a device has the MUD specifications employed then the device can be limited to the specific functions for which it’s built. A person’s refrigerator, for example, can be limited to storing a grocery list that is sent to the user’s smart phone each week instead of listening to a conversation where a credit card number is spoken aloud and reports it back to a hacker.
Routers are the IoT devices that suffer the highest volume of attacks. Because routers are the gateway for smart devices to connect with the Internet, compromising a router means gaining access to every unsecure device that uses it. The VPNFilter malware on routers is a recent example of how insidious these attacks can be. The primary purpose of the VPNFilter is to keep the router accessible to any malware that a hacker wants to pass through it, and it can survive a reboot. The threat to routers is so pronounced that Symantec decided it had to offer a secure router solution.
"The VPNFilter attack shows that other routers are a huge part of the problem," said McCorkendale. "We set out to show what it takes not to be part of the problem. In Norton Core there is no web interface, no services listening, no default password – it is only manageable via the cloud and its app – and there are no services with default credentials.”
For the foreseeable future, IoT security is likely to remain a work in progress. Manufacturers are only now learning the need for security. But that provides little help to the millions of customers around the world who have already installed unprotected devices. That puts the onus on consumers to manage their way through these badlands, assuming they have the technical expertise to do the legwork to keep their devices secure.