The FBI released a warning this week regarding the Internet of Things security, which is pretty unusual. As a result, a lot of digital ink has been used up writing about it. I will use up a little more digital ink.
What is unusual is the FBI warning doesn’t mention any particular issue – it addresses the IoT in general. That would be equivalent to the FBI saying that you should be careful when using your laptop. Not a particular operating system or program, just if you use a laptop.
This alert comes on the heels of remote code execution flaw in VxWorks, possibly the most widely used iOT operating system. This flaw allows a hacker to take over the device, create her own userid on it and generally have her way with the device. There are some limits to exploiting this particular flaw, but this is one flaw in one IoT operating system. I see a couple of these a month and almost none of them are patched. There was one earlier this year regarding drug infusion pumps used in hospitals. The manufacturer, after being shown this glaring security flaw in several models of pumps, actually REFUSED to test the other models they sell to see if they were also vulnerable and spouted off some nonsense that this very real problem is not a problem. A year later, the FDA published a notice that this is a problem – with no requirement to recall or stop using them or even to issue a patch.
The folks that make VxWorks, Intel, has issued a patch for the flaw that was disclosed this month.
But here is where the mischief comes in and it is, in many ways, like the problem I have been whining about with Android phones. You are dependent on whoever you bought that refrigerator, baby monitor or house door lock to create a patch and then you are dependent on the person who bought it to actually install the patch.
IF the digital door lock, for example, is the current model in the vendor’s product line and not the one they sold last year, they might fix the bug. Once they fix it, they may issue a patch or they could just start shipping the new code in products that come off the assembly line starting today.
A year or so ago I bought a router who’s software was dated 2006. It was brand new, not used. And the software was, at the time, 7 or 8 years old. The vendor was still making and selling the product and, I guess, no one had sued them, so they figured that they might as well keep milking the cash cow.
Unfortunately, consumers for the most part don’t have the expertise to deal with patching their refrigerator, assuming the vendor even provides a user interface to do it.
And, given that people expect there to be 10s of billions of IoT devices in a couple of years, and no standard for how you update them, the odds of things getting markedly better are slim to none.
Part of the problem is that these manufacturers, unlike the cell phone carriers that I beat up repeatedly, don’t get any recurring revenue from you. Once you buy that baby monitor, you don’t send the baby monitor manufacturer a check every month. This means that the manufacturers, for the most part, have no clue as to where all their products are at any point in time. And zero motivation to patch something vs. releasing something new, bright and shiny for which they might get some of your dollars.
So given all this, it was refreshing to hear a different story the other day.
Google released a home WiFi router called OnHub earlier this month. As home Wifi router products go, it is on the highER end of the price curve – $200 list – but on par with other similar products and less than some others. Many people think that Google is going to use this as the “hub” of a future home automation strategy.
But, Google gets no ongoing revenue from your purchase of this device. What Google decided to do is automate the updating of the router. It is, after all, connected to the Internet. They have designed it so that they can update the code without having to take the router down, so they could update it at 2:00 in the afternoon or 2:00 in the morning and other than, possibly, seeing a new feature, you would not know or care.
For you Mr. Robot TV show fans, if you equate Google with Evil Corp., it is certainly possible that they could download code that does nefarious things, so you have to trust them to a degree. For most users, this is likely much less of a risk than running unpatched and possibly unpatchable devices.
I will get to the FBI alert in a minute.
Until either consumers get mad enough to stop buying products that aren’t secure and cannot be easily or automatically patched or manufacturers get some religion, things won’t get much better.
An alternative that could happen is that the government will get involved and “help” manufacturers. Trust me, that will not turn out well for either the manufacturers or the consumers. For the consumers, if they don’t like what the government does, they can stop buying IoT devices. The manufacturer’s alternative is to go out of business.
I am not counting on consumers getting mad enough, so the only real option is for manufacturers to get religion – likely after the government starts making rumbling sounds of writing regulations or fining wayward manufacturers.
Now, back to the FBI alert. The alert describes what an IoT device is, gives some general examples and explains some of the generic risks such compromising the device to cause physical harm (think of the Jeep hack from a couple of weeks ago where the researchers took over the gas peddle and disabled the brakes). Doesn’t get much more physical than that. It also gives some generic examples of incidents that could happen.
Then they provide a list of recommendations that I will paste below. The first recommendation is one that I talk about all the time. Unfortunately, all of these recommendations take time and expertise to understand and/or make happen, so I am not counting on the majority of people doing any of these things.
A few people will be scared enough to not buy IoT devices, but the coolness factor of unlocking your front door from your smart phone instead of with a key is just too tempting for some people.
Therefore, my prediction is that this will not be solved anytime soon and hackers will likely continue to have a field day, causing all of us time and effort to clean up the mess.
Just my opinion.
Here is the FBI’s list of recommended actions to take:
- Isolate IoT devices on their own protected networks;
- Disable UPnP on routers;
- Consider whether IoT devices are ideal for their intended purpose;
- Purchase IoT devices from manufacturers with a track record of providing secure devices;
- When available, update IoT devices with security patches;
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router;
- Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
- Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;
- Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.
Read the entire FBI notice here.
Read the VxWorks vulnerability announcement here.