IoT has quickly changed how we think of the Internet. Those who grew up with the Internet might still think of browsers on client systems like laptops and desktops pulling down websites hosted on servers. But today, Internet usage has evolved considerably from that point. We’re watching movies on the streaming app built into our televisions. Voice-enabled home assistants play music and pull up stock quotes on demand. Vast arrays of solar panels are installed at industrial-scale with all kinds of instrumentation built-in to allow for operations and maintenance with minimal human intervention. The benefits of this revolution are seen across the economy, fueled by new, innovative use cases with emerging and cheap distributed manufacturing driving costs down.
Desktop computing followed a similar path some decades ago, with successive generations of processors and cheaper memory enabling gains across broad swathes of society. But relative to IoT, it followed a measured pace. Even as the people producing the hardware and the applications were making steady progress, there was another set who recognized that this provided a parallel opportunity – for them to use this technology to inflict harm on others while enriching themselves. This has led to the many years of network infiltrations, data breaches, and destructive attacks that we’re now hearing about non-stop. For the most part, this has happened in environments based on traditional computing devices like servers and laptops.
As we enter the IoT era, we have to contemplate how the widespread presence of new kinds of devices that include some form of computing and network connectivity might impact the threat landscape.
Mirai, a popular malware family responsible for numerous high-profile DDoS attacks since 2016, has been ported to at least 17 separate IoT architectures. This means that once an adversary has access to an IoT device, odds are there’s already malware ready to be installed.
And then gaining such access keeps getting easier. Many IoT devices run with known vulnerabilities, making them easy to compromise as long as they are reachable on the Internet. The report cites the ECHOBOT family that carries 71 separate exploits for a wide array of devices.
Even if these devices ship without known vulnerabilities in the first place, not many have a software update mechanism of any sort, so they’re almost destined to be vulnerable at some point as the underlying software ages.
This is true globally, and adversaries take advantage of common credentials that ship on devices in specific regions.
Will IoT ever see a moment where it takes a big leap forward in terms of security? Think about when Windows XP Service Pack 3 arrived and provided a huge step forward over previous generations of software that just wasn’t ready for the Internet. Can there be such a big-leap moment for IoT?
For many reasons, this seems like a long shot. The IoT ecosystem is vast, and there are many separate entities responsible for parts of the process, from the time a device is conceived to when it gets installed on a network. One huge problem is that end-users bear the brunt of the insecurity baked into the ecosystem with few consequences for other entities in the chain.
And it’s quite the brunt end users. There have been multiple times in recent years when attacks have occurred that struck at the core of the Internet’s stability. IoT is a jump point for many intrusion campaigns. And the reports of large-scale vulnerabilities keep coming. In the past month, the Trek TCP/IP stack has had a set of 19 separate vulnerabilities reported, with little chance that devices involving the software will ever get updated.
What should we do to fix this? Unfortunately, there are no easy answers.
Standards will have to be created and enforced around the basic design of such devices. Secure access, updates, and obsolescence have to be factored in from the beginning. Consumers will need education on topics, such as the safe deployment and use of their devices. Service providers will need to run containment operations when large attacks break out. Governments have to hold all these entities accountable. Every one of these entities will need to play their part if we are to get anywhere.
As a society, we have to recognize the role of the intelligent adversary, who will adapt to these changes as they are introduced. In many instances, even as we progress in the security of devices we have deployed, the adversary may also make significant gains in their ability to exploit vulnerable devices to their ends.
As the IoT revolution brings changes to society, it is introducing new classes of risk. It’s upon us to make sure these risks are understood and mitigated if we are to reap the full benefits of the revolution.