Smart devices becoming so intelligent that they take over the entire world is a recurring theme in sci-fi, especially that of the dystopian kind: mankind serves as an “energy source” for its new evil masters until someone breaks free, puts on black attire and dark sunglasses, and proceeds to save the day. Fortunately, in reality, we control how smart these devices will become. In this world of interconnected devices, the Smarternet is our future. But how secure will it be?
We covered this topic in the Internet of Things post in February of this year, way before Heartbleed, Shellshock, and other key incidents of 2014 had been announced.
Those big bugs, among other things, showed that very critical errors in the “backbone” software used in an infinite number of hardware devices my stay hidden for years or even decades.
Protecting the Future: Smarternet and Chronophobia #internetofthings
Tweet
Here are a few recurring issues that could possibly compromise the security of Internet of things:
Deadlocked firmware
Take a look at some smart devices like an internet-enabled refrigerator or microwave oven. They most likely won’t run software that’s too customized, as it’s more cost effective to utilize Linux with an added firmware layer. Now imagine that due to the “design specifics” it cannot be updated.
In that case, a Shellshock-like flaw exists: the patch is available but still cannot be applied because of a design flaw. At the same time, the refrigerator works fine. The fact that it’s now part of a botnet flooding the universe with spam… well, that goes unnoticed because it doesn’t affect the owner directly. Why would their owners trash them? The most the rest of us could hope for is their connectivity being disabled, but this would require security awareness by the device’s owner. Right now, the Web is filled with devices – both personal and enterprise – with their default settings kept in place, along with super-tough login-password pairs such as admin: 12345.
This brings forth the second issue:
Users’ awareness
There are a few possible explanations as to why people keep the default settings for their net-enabled devices when that could leave them wide open to attacks: 1) They simply don’t care. 2) They don’t care and they don’t believe in cyberthreats or they don’t think anyone would bother to attack them, etc. 3) They don’t realize there are settings to be changed – protecting a baby monitor or a DVR with a password? Why?
People who are less technically aware may not realize that their home Wi-Fi enabled printer may be subject to some dire vulnerability, which can be exploited in order to pwn their entire network. When Heartbleed was disclosed, there were droves of various devices affected, including home routers and corporate firewalls, printers, video cameras, thermostats, home management gadgets, and even baby monitors. How many of them also used (and still use) those dreaded “default settings”?
Penetration depth
This issue is related to the ability of possible attackers to use a “smart device” – an aforementioned baby monitor, a CCTV camera, or a remotely operated thermostat – as leverage to set a foothold within the home or corporate network. Then they’re closer to purloining sensitive data or getting access to the victim’s finances.
The #internetofthings is here; it demands attention #security
Tweet
If the under protected smart devices are on the same network as other elements of the corporate infrastructure, the risk is immediately present. All of the “less-important” equipment should be placed on a separate network from the one the business processes rely upon. If they remain on the same network, it will require a lot of supervision. The safest scenario includes both of these approaches.
So what does the future hold?
All of these “smart”, remotely operated, internet-enabled devices will be less and less exotic with each passing year. They will become as much a part of the Internet as servers and endpoints are today. To a degree, they already are, both in a good and in a very bad sense.
Will they become more secure in years? Cybersecurity is a hot topic today, too hot to ignore. Hopefully, CCTV camera and baby monitor manufacturers won’t turn a blind eye on it. However, the possibility that the manufacturers of the cheaper devices may choose to save on security cannot be denied either.
In the first post of the series we mentioned two articles in Wired – one of which accused sci-fi authors of phobia mongering and being overwhelmingly pessimistic. The other objected, stating that we actually need more “dystopias”.
Phobias of any kind are counterproductive in the end. Chronophobia and futurophobia – fears of time and future – are widespread today for a lot of reasons. But is it practical to be afraid of all those “too-smart” devices, like refrigerators that can order groceries for you? Nope. But they do require attention, awareness of possible security issues, and the tools to mitigate them.