Interred in the Internet of Everything
The security implications of devices
connecting and sharing data
I received a request from a student for commentary relevant to his final
project on ‘Botnets and the Internet of Everything’, asking what risks botnets
pose for the devices (cars, watches, TVs) it includes, in terms of payload and
ability to spread.
He quoted an estimate that in 2020 there will be around 50 billion
devices forming part of the Internet of Everything (IoE), and another estimate
that right now, 75% of IoE devices do not conform to good security practices.
How well are these figures likely to reflect the situation in 2020, and what is
the impact of IoE botnets likely to be?
These are interesting questions. In fact, even as I was putting the last
touches to this article, an article on
the Talos blog made it very clear that the risk from IoT malware is
far from hypothetical. Talos estimates that at least 500,000 networking devices
in at least 54 countries have been compromised.
I may return to IoT- and IoE-related issues in a longer article in due
course, but in the meantime, here is a slightly expanded version of my
response.
Superset, Supernet
We hear a lot about the Internet of Things (IoT), but not so much about the Internet
of Everything, which might be described (and indeed often is) as a superset of
the IoT. My understanding that it consists not only of the interconnected
devices that make up the IoT, but also includes the people who benefit (or hope
to benefit) from that interconnection, the data that are shared across those
connections, and the processes by which information derived from those data are
delivered to where they should be. Well, that’s the theory.
Like everyone else in the security industry, I’m concerned about the
implications of (non-)security in devices that are included in both these
categories. Indeed, I have been for a long time.
The bioinformatic imperative
In the 1980s through to the early 2000s I worked in bioinformatics,
though on the side of system support and security rather than being directly
concerned with the manipulation of biological data. Although the term IoT
wasn’t heard much (if at all) then (and the term IoE even less), it was already
hardly possible to work effectively in bioinformatics without being aware of
the risks of compromise posed to (or by way of) medical devices. (The risks
incurred by reliance on more obvious resources such as servers and network
devices were already reasonably well understood, if not always adequately
addressed, then or now.)
The first time I remember hearing about what would later be known as the
Internet of Things was probably a reference to the by-then-legendary ‘Internet Coke
Machine‘ of 1982, but I don’t remember fretting about its security
implications. After all, the status of a vending machine in Pittsburgh had
little impact on a medical research facility over 3,700 miles away in London.
However, computing and my own career have both undergone many changes
since I first sat at a computer keyboard in 1986, or even in the 1990s, when my
job title first changed to include the word ‘security’, and nowadays I suppose
I see security issues everywhere. (If only I saw as many decisive solutions
to security issues!)
My current concerns basically arise from the expansion of the IoT attack
surface through (1) the addition of internet connectivity to objects that don’t
necessarily need to be connected (2) the fact that such connectivity has
been implemented by groups with little understanding or experience of internet
security and privacy (3) the ‘rush to market’ and competitive pricing pressures
that put the technical and psychosocial aspects of security so far into the
shade as to be effectively invisible. Consider, for instance, the
ill-considered addition of connectivity to so many toys and games.
Ifs and bots
I’m less concerned (right now, at any rate) with the specific risk from
botnets, though that doesn’t mean there is no risk. We’ve already seen it
encapsulated in the use of the Mirai and BASHLITE botnets to implement DDoS attacks. In
principle, DDoS is very ‘suitable’ for an IoT botnet because it tends not to
demand much in the way of operational functionality from the recruited device.
On the other hand, the more features a device’s underlying operating system has
– especially if the OS is fully implemented (e.g. Linux, Android) – the wider
the range of attacks that might be possible using a network of compromised
devices.
There are mitigating factors: some devices implement only the
smallest necessary subset of functions; some are regularly patched (or at least
patches are made available); some have a proprietary operating system that is
less likely to attract the attention of the hacking fraternity, except maybe
those black hats who are very specialized – not that I’m advocating that anyone
rely on security through obscurity. What’s more, while Windows is less of a
monoculture than is often assumed, out in the world of ‘smart’ devices and
connected-but-not-all-that-smart devices, monoculture may be even less of an
aid to the bad guys. There may be a wide range of devices doing much the same
job, and they certainly won’t all be running Windows®. But then, the ancient
myth that security flaws are the exclusive property of Microsoft operating
systems and applications is no truer in the IoT context than it is elsewhere.
Talos reports that the family of malware that ESET detects as Linux/VPNFilter.*
is affecting network devices from “…Linksys, MikroTik, NETGEAR and TP-Link” as
well as “QNAP network-attached storage (NAS) devices.”
Data versus devices
Here’s a slightly edited excerpt from my article in ESET’s 2018 Trends Report. There may well be other useful
commentary in there, of course, if you’re looking for similar content and
opinions.
Looking at attacks on smartphones and other
mobile devices, these tend to be less focused on data and more on denying the
use of the device and the services it facilitates. Which is quite bad enough
where the alternative to paying the ransom may be to lose settings and other
data, especially as more people have come to use mobile devices in preference
to personal computers and even laptops, so that a wider range of data might be
threatened.
As the Internet of Unnecessarily Networked
Things becomes less
avoidable, the attack surface increases, with networked devices and sensors
embedded into unexpected items and contexts: from routers to fridges to smart
meters, from TVs to toys, from power stations to pacemakers to petrol stations. As everything gets ‘smarter’,
the number of services that might be disrupted by malware (whether or not a
ransom is demanded) becomes greater.
In previous years we’ve discussed the
possibilities of what my colleague Stephen Cobb calls the Ransomware of Things.
There are fewer in-the-wild examples to date of such threats than you might
expect, given the attention they attract. That could easily change, though,
especially if more conventional ransomware becomes less effective as a means of
making a quick buck. Though I’m not sure that’s going to happen for a while…
On the other hand, there’s not much
indication that Internet of Things security is keeping pace with IoT growth. We
are already seeing plenty of hacker interest in the monetization of IoT
insecurity. It’s not as simple as the media sometimes assume to write and
distribute malware that will affect a wide range of IoT devices and beyond, so
there’s no cause for panic, but we shouldn’t underestimate the digital
underworld’s tenacity and ability to come up with surprising twists.
Dinosaurs in Tomorrow’s World
And here – since I haven’t changed my opinion much in the interim – is a
lengthy quote from an article
I wrote for ITSecurity UK a couple of years ago.
I don’t know how many people have
internet-connected fridges, lighting systems and televisions, but I don’t …
It’s not just a matter of my being afflicted with the characteristic paranoia
of the old-school security researcher. Well, not entirely. I won’t be
connecting anything to my own networks that doesn’t need to be
connected to function, and part of that is normal caution. I don’t particularly want
to have to worry about whether my doorbell might give away my WiFi
password. But the fact is,
a smart doorbell or a connected kitchen appliance simply doesn’t meet
any need I have right now, so I’m not going to pay extra for that functionality
… personally I’m quite happy to live in Today’s World rather than Tomorrow’s. Though sometimes I wouldn’t mind going back to Yesterday’s.
But we dinosaurs do worry about a time … when
we don’t have a choice about whether our devices are connected, as may already
be starting to happen with TVs, for instance. Will we be able to choose whether
we enable that connectivity? And … the number of people currently affected by
real-world vulnerabilities may be far smaller than the PR avalanches indicate.
But … IoT ‘represents an ever-widening attack surface.’ And if you’re one of a
relatively small segment of the population affected by a vulnerability in a
medical device, for example, you may not be reassured by the fact that it won’t
affect most people. And as my colleague Pablo Ramos has pointed out, IoT is an issue that is likely to extend
beyond the home and into the workplace. But maybe not immediately.
However, Nick FitzGerald, my colleague at ESET, points out that 5G is
being developed and positioned in such a way that it’s not going to be possible
indefinitely to avoid 5G “connected” devices. He believes that persistent 5G
will be embedded into nearly everything that runs on or generates electricity,
probably with no means of disabling it.
How much should we worry about this? Well, it’s an evolution of how
things are at the moment, in a world where tracking by Cookie Monster is the
lifeblood of the internet retail industry and social media (in some respects
the same thing). Electronic appliance manufacturers will not be reluctant to
take advantage of the control and monitoring opportunities offered by mandatory
interconnectivity, comparable to that already enjoyed by major service
providers through software and consumer electronics such as entertainment,
communications and productivity devices. In essence, this trend further
facilitates the extension of these opportunities from ‘brown goods’ to
‘white goods’ (aids to housekeeping such as dishwashers and
refrigerators).
You may not be too concerned about the possibility that your kettle or
light-fixtures may compromise your privacy, but consider this. When the
internet was a playground for the State and academia, security breaches had
comparatively little impact on the rest of the world. As interconnectivity spread
to commercial enterprises and trickled down to small businesses and home users,
the threat surface increased dramatically. While corporates are likely to have
access to some in-house or outsourced security knowledge, this was (and still
is) less likely to be the case for SMBs, sole proprietors, and private
individuals using home networks. As home users have moved away from old-school
home computers (in the sense of desktops and laptops) to handheld devices,
we’ve seen more and more reliance on those devices for sensitive transactions.
Yet those transactions are by no means always adequately and universally
protected by the services and systems that support them. In a 5G world, the
attack surface will increase dramatically, and I don’t envisage a correspondingly
dramatic rise in standards of security and privacy, or in the general level of
customer understanding of the risks.
Right now, it’s still possible (though not always easy) to do your
shopping and banking in the real world rather than online. And you still have
the option in many cases of avoiding unnecessary or unsafe connectivity. But
for how long?
VPNFilter
In view of the current issues with routers vulnerable to the VPNFilter
malware, here a few ESET links with information from Stephen Cobb that seems
particularly relevant right now.
Stephen Cobb: Router reboot: How to, why to, and what not to do – “The
FBI say yes but should you follow this advice? And if you do follow it, do you
know how to do so safely?”
Stephen Cobb: VPNFilter update: More bad news for routers
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”
You can find these and many more links about the Internet of (not always
necessary) things on an AVIEN page here.