The IoT Horse Has Bolted! Hurry! Shut the Barn Door!

Here’s an interesting statistic that I’d like you to consider. Smart Cities World estimates that there are now 31 Billion IoT devices deployed worldwide, and you know what that means? There are 31 Billion attack points for those bent on destroying our connected world – indeed our way of life – through crippling cyber attacks. Nothing defined as an IoT device is secure. And that’s not just my opinion. My statement is backed by ironclad proof that the device manufacturers are playing a dangerous game, and the only way to solve this dilemma in the long term is to fix things going forward. The IoT Horse has Bolted the Barn, and shutting the IoT Security barn door now is a total waste of time. 

But how could we have let this happen?  One view is that the race for IoT-related market dominance far surpassed the will to render devices secure. I think, however, that is was less about growing one’s business, than it was about not really understanding the vulnerabilities inherent in our old-world approach to security.  Add to that the tools that exist today, like Shodan, and well…we’ve created an ugly mess.

Let’s talk Shodan (because its very existence astounds me!)

Shodan is a search engine which collects information about all IPv4 and IPv6 devices connected to the internet, and gives us the ability to search for devices using filters that can be very sophisticated.  It can search by Operating System, Server Banner, Geolocation, Open Ports etc, providing a user with a clear picture of every connected IoT device in a given area. Researchers at the Infosec Institute decided to see just how serious a problem this open visibility to connected devices presents, and the results are downright scary. They easily and effortlessly accessed and took control of thermostats, connected lighting and garage door controllers in a matter of minutes. And while these breaches might not sound that dangerous, picture a cyber criminal turning off the heat in a hospital in the dead of winter, killing all the lights and demanding a ransom, while his colleagues are breaking into the hospital negotiator’s home through the non-secure garage door.  

You don’t think that’s realistic? Well, home invasion through the garage door aside, the citizens of Lappeenranta, Finland would tell you that it’s not only realistic, it happened in 2016 when cyber criminals put the freeze on many of its citizens when they hacked the environmental control systems in two apartment buildings via vulnerable thermostats. The affected Finns were left in the cold for close to a week. 

What about connected lighting, you might ask? Ask Signify (formerly Philips Lighting) whose Hue lighting system was hacked in 2016 when attackers launching an IoT worm that could rip through connected lightbulbs across entire cities. And more recently, in June of this year, the Hue API went dark for close to four hours, preventing any remote users from accessing the system. Signify hasn’t provided insight into how this happened, but one logical guess is that the outage was by a Distributed Denial of Service (D-DOS) attack.

Shodan is clearly problematic. Its users are able to find systems ranging from traffic lights, to security cameras, to water plants, power grids – even nuclear plants – all of which have inadequate or non-existent security. From a security point of view, this is wrong.

Do you know what else is wrong? The progression of the ‘art’ of hacking.

Hacking Goes Mainstream

It used to be that only deep techies were capable of hacking into systems – the kind of people depicted in the movies as diabolical, geniuses with esoteric knowledge of all things computing.  Not any more. The tens of billions of connected devices on the Internet have now made it possible for anybody who knows how to type and click a mouse to become a hacker. That was the conclusion of a team of researchers from Israel’s Ben-Gurion University who took less than thirty minutes to access security cameras, baby monitors, doorbells, thermostats, and other internet-of-things, connected devices. Their work didn’t require any special hacking techniques. The team’s conclusion: “Anyone can do it…”

The 90-Second Rule

Ninety seconds. That’s how long you to have to protect a consumer IoT device before it will (most likely) be hacked, and its not necessarily a human– the creepy guy in the driveway outside your home who is using your unsecured wifi doing this.  It’s malware like the Murai Botnet that is constantly searching the Internet for vulnerable IoT devices.  Once it finds one, it takes control of the device and can commandeer it to participate in massive D-DOS attacks such as the one that took down Liberia’s Internet in 2016. 

How big is the list of compromised devices?

The flippant answer is probably a list that represents 31 billon IoT devices (see paragraph one, above), but let’s start with a partial list of devices with confirmed breaches (some of which were earlier identified).

? Cars

? Airplanes

? Security Cameras (including CCTV)

? Hospital Patient Monitors

? Industrial Controllers (including those deployed as part of critical infrastructure)

? Baby Monitors

? Smart Home Devices (e.g. Alexa)

? Webcams

? Cardiac Devices

? Connected Doors

? Connected Sex Toys (seriously!)

? The Power Grid

? Water Systems

? Street Lights

? Traffic Systems

? etc, etc, etc

So, what’s the Answer? Think ‘Toasters’.

Did you know that manufacturers cannot produce and sell toasters in most parts of the world, unless the product adheres to the following set of inspection and quality control standards?

IEC 60335-1

The IEC 60335-1 Standard is used to inspect the safety of toaster appliances for household and similar purposes. The standard rated voltage cannot exceed more than 250 volts for single-phase appliances.

IEC 60335-2-9

The IEC 60335-2-9 Standard is used to inspect the safety of electric portable appliances for household purposes that have a cooking function such as roasting, baking, and grilling.

ASTM F2380 - 04

The ASTM F2380 - 04 Inspection test for the performance of conveyor toasters determines the energy consumption and the cooking performance of conveyor toasters.

UL 1026

The UL 1026 is a standard similar to the IEC 60335-1. This standard has also been set in place to inspect the safety of toaster appliances and ensure they do not exceed 250 volts

NFPA 70

The National Electrical Code (NEC) NFPA 70 is an international standard used for the safe installation of the electrical wiring and equipment into products.

And you know what? The non-networked hundreds of millions of toasters and the like don’t present a threat to our world.

The Bottom Line

It’s simply too late to try and retrofit most of the tens of billions already deployed vulnerable IoT devices. That horse is out of the barn, and well on its way to wreaking havoc worldwide. 

Today, we have to think ‘Toasters’ but with no time to wait on development of IoT security standards,  governments of the world must prohibit manufacturers from deploying new IoT devices for in-country use until they know with certainty that they are being deployed in a safe, secure manner. And while this doesn’t solve today’s problem, it represents an intelligent and responsible long-term plan that will eventually eliminate threats from a lack of security in the IoT, through device attrition.  

Out with the old vulnerable devices. In with the new secure ones.

And what’s that done? When our connected world is safe and secure, put the IoT horse back where it belongs and lock the barn door.