The IoT Is After Me!
In the movie “Young Frankenstien”, Gene Wilder’s character comes to the realization that following in his grandfather’s footsteps is inevitable, prompting the following quote from Dr. Frederick Frankenstein: “All right, you win. You win. I give. I’ll say it. I’ll say it. I’ll say it. DESTINY! DESTINY! NO ESCAPING THAT FOR ME! DESTINY! DESTINY! NO ESCAPING THAT FOR ME!”
That came to mind thinking about IoT. Unfortunately my dialog became: “IoT! IoT! Those tiny things are after me!”
There are a number of reasons to be concerned by the IoT phenomenon. First and foremost is the demonstration of how security cameras and thermostats can be leveraged into an army capable of taking down almost any website with very little technical skill, using the Mirai software.
An article by Bruce Schneier states that “In December 2014, there was a legitimate debate in the security community as to whether the massive attack against Sony had been perpetrated by a nation-state with a $20 billion military budget or a couple of guys in a basement somewhere. The internet is the only place where we can’t tell the difference. Everyone uses the same tools, the same techniques, and the same tactics.”
This is where we are in much of computer security. Because the hardware, software, and networks we use are so unsecure, we have to pay an entire industry to provide after-the-fact security.
This article shows how it is possible to attack ‘smart’ lightbulbs and take them over. Considering that this article demonstrated that an IoT device connected to the internet will be attacked in less than two minutes, this article poses concerns that really need to be considered.
Imagine the situation if all the hospitals in a certain area were put out of commission. There have already been situations where a hospital was hampered in providing care because of ransomware. At least in those cases, no one was actually in immediate danger. Existing patients were cared for, and no new procedures were attempted until the infection was cleared up. An IoT attack could shut down monitoring equipment, automated medication dispensing units, and life support devices that are connected to the internet.
As more and more IoT devices infiltrate more areas and facilities, the exposure grows. One huge problem is the existing population of poorly secured devices that are already in place. These are unlikely to be properly patched or upgraded. Manufacturers have designed and sold on price, so there is no incentive to update or secure these devices. Even if they were interested in making updates available, this article offers this insight to the devices owners:
“This survey revealed that, worryingly, only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices… Of those polled, nearly two thirds felt that it was not their responsibility to keep firmware updated. 22% believed it was the job of software developers, while 18% consider it to be the responsibility of device manufacturers.”
So people who own them don’t feel obligated to maintain them. From one perspective I understand that view but it is somewhat like a car owner feeling that the vehicle upkeep is not there job. Granted we are talking about things that vary in cost by a couple orders of magnitude but ownership of anything implies some responsibility.
Where does that leave us? As cited above Bruce Schneier’s comment “we have to pay an entire industry to provide after-the-fact security”. The follow up question that is hard to answer is “Where do I spend my money for security?” If you are a small business owner, get connected to a trusted advisor to help.
If you are a home user, the future does not look good. You will continue to get bombarded by gadgets you can control from the ‘net (teapots, lights, thermostats, door locks, etc.) that can be trivial to compromise because they are designed and built to be inexpensive. You may not be directly affected but your devices may be used to attack others. Or you could be directly affected should you happen to get some internet connected toys. This article discusses how poorly secured toys allow strangers to converse with children via their toys. If you are a parent, that should give you pause and perhaps reason to become just a little more tech savvy when it comes to IoT devices.
If you have questions or concerns about the IoT, give your friends at Ashton a call. 216 397-4080