For the Internet of Things (IoT) to be useful, some sensing device has to collect data, and transmit that data over the Internet (typically) to a cloud server (typically) that will store and analyze that data and allow the user to see that data, and/or use the data to effect some change in the device or user behavior. That’s a simplified and over broad description of the IoT.
The problem is things like home routers, hubs, hardware and software firewalls are designed to transmit certain kinds of data over certain defined ports, and to block other unwanted traffic. When I wanted to set up a slingbox on my home network to allow me to port my TV signal to my phone, tablet or computer, I had to create in my router an exception to the firewall settings, open a specific port, and permit the traffic to flow.
On January 5, 2107, the United States Federal Trade Commission filed a lawsuit against Taiwanese router manufacturer D-Link in federal court in San Francisco. The suit alleged that the router manufacturer’s practices of failing to protect consumers against flaws identified in the OWASP project constitutes an unfair and deceptive trade practice.
For example, the FTC alleges that D-Link routers are vulnerable to protect its private key (keeping it available on a public website for six months), failing to adequately secure user login credentials (keeping them in clear text on the user’s device), maintaining hard coded user credentials, and being vulnerable to command injection flaws, means that the sale of the devices constitute an unfair trade practice.
This isn’t the first time the FTC had gone after IoT or hardware manufacturers for inadequate security. They have previously sued TRENDnet for hard coding IP addresses on Internet accessible webcams, and against ASUS for selling insecure cloud routers. The ASUS complaint alleged that the “personal cloud” storage provided by USB based hard drive accessibility was insecure, including for example, hard coded user credentials.
The problem for IoT manufacturers and designers is that low power, low function and low cost IoT devices typically may not have the kind of interface or functionality to permit the kind of security that we have come to demand (if not expect.)
Nobody wants to log into their light bulb, or remember the UserId or password of their thermostat. Consumers expect “set and forget” functionality for IoT, but security requires constant testing, updating, monitoring and vigilance. The lawsuits against ASUS and D-Link in particular establish OWASP as a standard for IoT security, one of many such standards IoT manufacturers will be expected in the future to comply with, or face the wrath of regulators and consumers both.
Consumers want devices that are easy to use, affordable, and functional. They also want them to be secure. But security is not a box you check. It’s a process. There must be secure design (follow data and work flows), secure implementation, secure testing, validation, and reassessment.
A design, which is secure against the current threat landscape, may not be secure against new threats and vulnerabilities. Software, firmware, and processes may need to be reassessed and reevaluated against new threats. If the manufacturer doesn’t try to hack its own devices, you can be sure that someone will be glad to do it for them.
Many common security protocols don’t work well for IoT devices. For example, for embedded IoT, authentication and access control (logical and physical) may not work. As devices become ubiquitous, using individual device authentication becomes impractical. We may then depend on layered or perimeter or intermediated security. The IoT devices are hard wired with a password allowing them access to some controller in the home, but the controller has authentication and access control.
The lawsuit is part of a trend by the FTC to look at design and implementation vulnerabilities and find consumers to be deceived, even when no actual deceit is shown, and where there is no evidence in the complaint that any consumer data was actually compromised. An unreasonable risk of compromise is all that is needed. Such a risk is, to the FTC (and possibly to the consuming public), simply unfair.
The complaint against D-Link also parades the terrible things that could happen if someone took over your home networks secured by a D-Link router. So it alleges that “using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.”
They also assert that hackers could compromise a user’s webcam, monitor their wearabouts, and spy on their activities,” and that failure to prevent this possibility is unfair, and selling devices touted as secure is deceptive.
These cases are just the opening salvo in the FTC’s upcoming war against IoT devices – or more accurately, against IoT devices that have not been “adequately” tested for security. The lesson here is, hack your toys, or they will be taken away from you. Happy holidays and Happy New Year.