>> HIT THE PANIC BUTTON ON IoT SECURITY - EVERY YEAR?
Sometimes it is not good to be too far ahead of your fellow engineers in
your field of expertise.
While monitoring my social media feeds; I noticed a splurge of posts where
are now trying to wake people up with the concept of IoT security and when
It dawned on me; why is it becoming such a mainstream topic now and not two
or three years ago when some of us were pushing the concept out there? In
addition; are the new threats really as bad as they suggest? Well - the answer
is not that simple, basically.. it depends.
I knew I had a feeling i covered this before, more specifically my
So; what exactly is the risk we are talking about here? To be honest; a
simple IoT device will have a dedicated task - designed to do exactly one
thing and just that. Such is the case of projects being made to monitor
the weather at your home, or send you an alert when some environmental
conditional (from a sensor) is tripped. What exactly could a hacker do with
such an IoT device?
It really depends on what underlying platform was chosen for the device.
I covered this in one of my security presentations I held while working at
Evothings and attending conferences in 2014 and 2015. A big question about
security comes down to if your device is actually needs to be secured or
not. What's the point of putting TLS encryption for a weather monitor at
my house? Zip. The real question comes down to if a hacker can actually
re-purpose an IoT device for their own purposes, like spying or running
When building an IoT product, you are given two options depending on the
type of hardware you use - either you build a barebones sketch or you tie
into an existing operating system and run your sketches within it. In all
honesty; hacking a barebones device is effectively impossible; unless
you expose a backdoor in the firmware (unlikely) or you hook up via USB
to flash a new firmware on it.
Now; if the IoT product designer decided to simply slap on a stock
standard operating system such as the likes of Raspbian or a derivative
of Linux, yet not remove any services that are unncessary for operating the
device for its intended purpose - then, there is a potential problem. This
is where a true threat arises in the world of IoT - repurposing your IoT
device for performing other tasks.
Your new baby monitoring camera is designed to provide you live footage of your
baby as they sleep - but what if it was secretly doing something else with
the 80% CPU resources that are currently not being utilized because it
is either over powered or doesn't need to be streaming data to your mobile
device at 25fps and sits idle? A good hacker wouldn't break its function.
Let's assume that someone forgot to remove sshd or a similar
service from the device - a 0day exploit comes out or, god help us if
they didn't change the default passwords; and the hacker has root access.
They can now upload new applications and write scripts on your hardware.
All of a sudden, millions of baby monitoring cameras are now part of a
massive botnet designed for performing DDoS (distributed denial of service)
attacks all from the comfort of your own home - while you are none the wiser.
Heck; the monitoring device still does what you purchased it for.
In reality; you simply need to have faith in the companies you buy your
IoT products from - or, setup a suite of hacker tools to see if what you
just purchased is vulnerable or not. The chances are - they are crying
wolf over something that isn't even needed.
It will however, be a long time before we see any form of standards on
this - as many say, it should have been defined from day one. What is
needed is a set of guidelines that product manufacturers can abide to in
the form of a checklist to make their products hacker proof - number one
on the list being change default passwords and disable anything unecessary.
It looks liek some are trying to form a standard, like
SOFA - but that
wont solve underlying problems.
As for those who turn off heating or other critical systems - they are no
hackers, they are scum.