It may be time to consider halting the sale of Internet of Things (IoT)-connected devices.
That won’t happen, of course. But the basic idea is that what is happening is frightening enough to raise the thought. A world of malware is being developed that uses consumer-based IoT devices as an entry point (or attack vector, in industry parlance) to get into networks. Mirai is the highest-profile example thus far. There certainly are others, or new variants of Mirai that seek to wreak various forms of havoc.
There are two issues to keep in mind: The first is that people have a pronounced tendency to not take even the most rudimentary steps toward securing their electronic devices. The bookend is that millions of IoT-connected devices are pouring into the worldwide market before effective security standards are developed and deployed.
This month, researchers from SEC Consult found that 80 models of Sony surveillance cameras have, according to eWeek, “vulnerabilities and backdoor code …that could allow attackers to create internet-of-things botnets or spy on the users.” The researchers told eWeek that it was possible for hackers to learn the passwords of the IoT devices, even if the owners had the foresight to change them.
The problem is that the hackers always have first crack (no pun intended) at doing their “job.” Security is by definition reactive. That was an inconvenience in the old days, when there was time to react and adjust. It’s a fatal flaw when things happen as quickly as they do today.
The University of New Hampshire InterOperability Laboratory (UNH-IOL), which is the go-to organization for much of the research and testing in the telecommunications sector, said this month that it is launching an IoT testing service. The targets are products aimed at homes, industrial networks, smart cities and connected cars. It will also do some IPv6 testing. The researchers have a lot of important work to do.
Wired’s Lily Hay Newman compares IoT security challenges to the “viruses, worms, and intense email spam” that caused so many problems earlier in the internet’s evolution (and still do today). It is in a way worse, she says. Infected PCs or phones slow down, don’t work or – in the case of ransomware – let the afflicted know that an attack of some sort is under way. That is not so in the world of botnets, which can appear quite normal even as they are carrying out the evil work of others:
One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn’t noticeably affect their performance. There’s no reason the average user would ever think that their webcam—or more likely, a small business’s—is potentially part of an active botnet. And even if it were, there’s not much they could do about it, having no direct way to interface with the infected product.
It is a corrosive and dangerous situation. The idea of halting the sale of IoT-enabled consumer goods until security can be figured out is facetious, of course. The point, however, is a solid one. Thousands of vulnerable devices are pouring out of stores and into the network every day. Methods of securing them must be found and incorporated from the start. “Bolted-on” solutions that are retrofit to equipment that already is designed and out in the field simply don’t work as well.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.