The Internet of Things (IoT) promises to capture people’s dreams for a “smart lifestyle” and turn them into a reality. As manufacturers create new devices and product lines that capitalize on the IoT opportunity, they’re coming across a question cyber security professionals ask everyday – how will device security evolve with the IoT?
Skeptics have done a good job demonstrating how far there is to go. There’s no shortage of reports about hackable Internet-connected security cameras or smart cars. But looking at small office and home (SOHO) routers can provide the most useful insights into the security issues facing IoT device manufacturers.
Routers are the gateways to connected homes
Routers are basically consumer-friendly pieces of network equipment. They provide a gateway to the Internet for many laptops, desktops and other devices in people’s homes by routing Internet traffic from multiple devices through a single connection. Their low cost and limited functionality means that people can set them up once and then forget about them.
And hackers thrive on this kind of neglect.
Attacking routers puts hackers between the Internet and the devices connecting to the router, allowing them to perform a variety of man-in-the-middle (MITM) attacks. This might be news for many people, but this threat has been around for years. In 2012, hackers were able to gain remote access to 4.5 million DSL modems in Brazil through a flaw in the devices’ firmware. A 2014 campaign saw a group of attackers remotely change the configurations of 300,000 wireless SOHO routers.
By using MITM techniques, attackers can monitor or even manipulate the Internet traffic running through routers. The hackers behind the Brazilian example mentioned above were trying to steal banking credentials. In other cases, hackers have been able to spread malware by using compromised routers to direct people toward malicious websites. Hacktivists and extortionists have used hacked routers to create botnets, giving them more resources to plan larger attacks against bigger targets.
Firmware a fundamental security challenge
There’s not one security issue making routers vulnerable to attacks – there are several. But a notable problem with router security can be found in their use of firmware.
Firmware is software that controls the basic functions of a particular device. All computing devices rely on it, but things like smartphones and computers have operating systems built on top, which can help people manage firmware. But devices without operating systems built in, like routers, leave firmware difficult or even impossible for users to manage. While some routers make this easier by allowing people to adjust configurations with an app that can be run on a PC or smartphone, other models might make updating firmware completely impossible, essentially requiring the device to be replaced when all it really needs is an update.
This results in a considerable amount of “firmware neglect” by both manufacturers and consumers. Mark Shuttleworth, founder of the Ubuntu Linux Distribution, called firmware a “cesspool of insecurity” on his blog. Consumers rarely think about applying security patches or installing updates in devices like routers. People don’t receive notifications about firmware issues like they do with software on their PCs, so it’s completely up to them to monitor the websites of manufacturers for updates. And because consumers don’t demand firmware support, manufacturers don’t provide user-friendly ways to update the firmware used in devices. Manufacturers can even “abandon” products, meaning users cannot count on security patches or any other support for their router.
The infamous “Misfortune Cookie” bug exposed in 2014 highlights the scale of such neglect. Misfortune Cookie was discovered in the firmware of over 200 different router models from some of the largest manufacturers in the world. The bug allows attackers to monitor the Internet traffic channeled through a vulnerable router, steal passwords and login credentials, or spread malware to other devices.
The really shocking thing is that the bug actually dates back to 2002, and a new version of the firmware without the Misfortune Cookie bug was released in 2005. But as of 2014, an estimated 12 million routers were still running the unpatched firmware, with some manufacturers still shipping it with their new devices.
Firmware isn’t the only way to compromise routers. Neglecting to change the default passwords set by manufacturers is also a significant concern. Many of these default passwords are available online, and models that share the same factory-set password are clearly taking a big security risk. But awareness about passwords and account security in general, is improving. Firmware vulnerabilities in routers, on the other hand, continued to be discovered in 2015.
Is there light or kryptonite at the end of the tunnel?
Routers are not widely recognised as IoT devices, but they’re strikingly similar. They’re small, relatively inexpensive gadgets that have a very limited set of functions compared to smartphones and computers. It wouldn’t be surprising to see routers replaced with some kind of new IoT device that combines the functions of routers with a TV, fridge, thermostat, or other type of product.
But IoT devices are already showing security problems, and have been for a few years. In 2012, the Computer Emergency Response Team in Finland reported finding malicious code in digital set-top boxes people use with their televisions. There have been several accounts of compromised IoT devices since then, so they’re certainly not immune to the kinds of threats facing routers.
The good news is that there are potential solutions in sight. Firmware is evolving into “light” operating systems that make managing devices with limited functionality (like routers and IoT devices) easier for users by offering features like auto-updates and notifications. Popular examples of such light operating systems include WebOS and Tizen. Linux-based operating systems are particularly promising solutions for some of these security issues. Their use of open-source code can reduce people’s dependency on vendors by allowing the open-source community to support neglected or abandoned products.
The key issue that needs to be understood is that routers, IoT devices, computers, phones and anything else that connects to another device creates a network. And not securing the different parts of a network risks compromises the entire thing, including all of its devices and data.
There’s a good chance that firmware vulnerabilities will spread with the IoT. You’ll see this in things like toys, lamps and other devices that are becoming connected for the first time. Whether or not these new devices will evolve past the security problems in today’s SOHO routers is up to manufacturers. Building them to be secure now will help prevent people’s IoT dreams from becoming security nightmares.
Tom Gaffney is a security advisor at F-Secure Corporation.