I have been standing on my IoT soapbox for a while, saying that IoT is dangerous and people don’t know it. As a result, people aren’t doing anything about it.
Well, today I received a dose of reality.
We recently completed a vulnerability scan for a client of ours and one of the findings was a “HIGH” vulnerability. The client called me to discuss this and as I dug into it, I went, oh, #$%^.
Without giving away too much, this IoT device is a security device.
As is the case with many IoT devices, this device, of which the client has more than one in different offices, has an embedded web server that allows you to manage the device.
What are the manufacturer’s requirements for this embedded web server?
Number one requirement is that it is cheap. Free is best, but if you can’t get to free, maybe then a royalty of a buck or two per unit.
Number two requirement is that it is small and “light weight”. Light weight means it doesn’t use much memory or CPU since IoT devices are generally underpowered from a memory and CPU standpoint. An underpowered processor – one that barely gets the job done – costs less per unit (do you detect a theme here?).
Getting back to this client, what did this manufacturer do? They selected an open source web server. Open source, for the most part means free.
With respect to this “HIGH” vulnerability, the client wants to eliminate the risk, of course, so I do some research.
It turns out this open source project was abandoned in 2005. That is not unusual with open source. Often a developer will build something for a project and put it out there. When they get reassigned or the company decides to use a different solution, the open source project gets abandoned.
What is annoying here, of course, is when the client bought this IoT device the vendor didn’t say “by the way, we used this open source web server and we have no idea if it will be maintained”.
In addition, the vendor could have replaced the web server sometime in the last 12 years, but that would have cost the vendor money.
At this point, besides taking these devices out in the parking lot, running them over with my truck and making the client buy new ones (which is not going to happen, of course), the best we can do is work to mitigate the risk. ARGH!
There are a couple of takeaways from this –
- Before you buy an IoT device, ask the vendor about support. Do they plan to patch i? Do they have a history of patching their IoT devices? FOR HOW LONG? IoT devices might have a useful life of 10 years or more. If the vendor commits to patching it for one year, that is not too helpful.
- Always isolate IoT devices, both from any trusted network and also, if possible, from other IoT devices. That will help mitigate risk. It won’t eliminate it, but it will mitigate it for sure.
Users – both consumers and businesses – need to increase their understanding of the risks and their demands of their vendors to make secure products and support those products. We saw the risk in real time a couple of months ago when the Mirai botnet, using hijacked IoT devices took out parts of Amazon, Netflix, Twitter and other high profile web services. Hopefully, it won’t take an incident that takes down the power grid, for example, to get people’s attention.