2009年,就在消费者开始购买无线恒温器、前门摄像头和其他早期组成“物联网”的设备时,计算机科学家崔昂想到了在网络上扫描“极其脆弱”的嵌入式设备。
他说的琐碎,是指那些在工厂里仍然带有用户名和密码的设备——明显的用户名如“name”和密码如“1234”。这些代码中的许多都发表在互联网上免费提供的手册中,并且很容易用计算机程序自动扫描,所以甚至没有必要猜测。
当他做扫描时,崔天凯在144个国家发现了100多万个易受攻击的、可公开访问的设备。从这个样本中,他估计所有连接到互联网的设备中,大约有13%基本上都没有锁门,等待黑客通过。更令人担忧的是,四个月后,96%的设备都有相同的安全漏洞。
崔天凯的警告同样令人恐惧,因为它面无表情地发布:“嵌入式网络设备被广泛部署,而且往往配置不当,构成了极具吸引力的攻击目标。”
在此后的十年里,连接到互联网的易受攻击设备数量增加了七倍。爆炸来自对智能设备日益增长的需求,这种需求受到大肆宣传的推动。制造商们现在正绞尽脑汁地嵌入几乎每一个普通的物体,似乎都有微型计算机,它们能愉快地与周围的世界进行无线通信。在这场“智能”革命中,几乎任何带有开/关开关或上/下按钮的设备都可以用手机或语音传感器远程控制。你想不用从沙发上站起来就能开大暖气、调暗灯光、开动烘干机——只要对亚马逊回声报说出你的愿望就行了吗?面包圈爆开后,你想让你的烤面包机给电视发个信息吗?你想让你的烤箱告诉你砂锅已经在350度下煮了规定的20分钟,现在正在厨房里冷却到200度吗?物联网可以让所有这些事情发生。
便利的无线驱动革命也有阴暗面。危险不仅仅是黑客攻击。与传统的“计算机互联网”不同,传统的“计算机互联网”局限于一个有限的数字“虚拟”世界,物联网与物理世界有着直接的联系。这引发了一系列令人不安的问题:如果我们新型烤面包机烤箱、安全摄像头或智能城市里的电脑对我们不利,会发生什么?我们真的能信任物联网吗?大多数网络安全专家对最后一个问题的回答都很明确。“不,”本·莱文(Ben Levine)说,他是总部位于桑尼维尔的技术公司兰布斯(Rambus)的产品管理和密码学高级主管,专门研究数据的性能和保护。"我现在的简短回答是‘不’。"
与“计算机互联网”不同,后者主要是由具有信息技术或计算机科学背景的技术人员创建的,许多制造这种设备的制造商现在缺乏构建密闭系统所需的专业知识。有些人没有意识到这样做的重要性。因此,恶作剧的可能性似乎是无穷无尽的——崔和其他网络安全专家已经多次证明了这一事实。
你的振动器在欺骗你吗?
最近几个月,阿尔瓦罗·卡德尼亚斯的实验室更有创造力,去年他向他在达拉斯德克萨斯大学的学生挑战,要求他们破解一系列物联网设备。除此之外,他们设法打开并劫持了一架无人驾驶飞机,并证明他们可以用它攻击无辜的受害者,像神风敢死队一样,或者播放邻居的视频和音频。他们黑进了一个受欢迎的儿童玩具——一个联网的会说话的小恐龙,这样它就可以接收更新。然后他们展示了他们可以接管玩具,用它侮辱孩子,煽动不适当的谈话(用玩具可信的声音)或者告诉孩子该做什么。他们展示了他们可以控制联网摄像机来监视家庭。他们甚至发现“敏感设备”——振动器——的存在,有时被海外军事人员用来与他们的伙伴建立远程虚拟关系。他们不仅能够获得私人使用信息,还警告说,有可能冒充“可信的伴侣”和“实施远程性侵犯”
卡德尼亚斯向设备制造商和CERT协调中心报告了他们的发现,CERT协调中心是一个由联邦政府资助的非营利性R & D组织,它与企业和政府合作来提高互联网的安全性。然后他向电子工程和电气工程专业协会IEEE提交了一篇论文,该协会在今年秋天的特刊上发表了他们的发现。
他们写道:“这些攻击表明物联网技术是如何挑战我们关于安全和隐私的文化假设的,并有望激发人们更加重视物联网开发者和设计者的安全和隐私实践。”。(论文发表后,除了无人机公司,所有制造商都做出了回应,并试图修复漏洞)。
力倍增器
2016年的Mirai未来组合攻击显示了物联网是多么容易受到黑客攻击。它始于对用于玩《我的世界》视频游戏的小型服务器的分布式拒绝服务攻击。
截至2018年底,全球安装了超过230亿个物联网设备。许多购买这些智能设备的消费者目前懒得将它们连接到WiFi上,这意味着它们基本上处于离线状态,黑客无法触及。但是,随着制造商继续兜售连接的好处,这种情况可能会改变。到2025年,设备数量预计将增加两倍以上,达到750亿台。
易受攻击设备的数量给黑客们提供了强大的杠杆作用。2016年的Mirai未来组合袭击事件,可能是受到崔天凯原始论文的启发,说明了威胁有多危险。帕拉斯·贾,一个安静的、社交尴尬的新泽西大学辍学生,经营着一个利润丰厚的生意,在他自己的私人电脑服务器上租赁空间给视频游戏《我的世界》的狂热爱好者,这样他们就可以和朋友们私下玩。听起来很愉快,但是生意很残酷。Jha和他的竞争对手的一个常见策略是侵入毫无戒心的人的家用电脑,用恶意软件劫持他们,并指示他们向竞争对手的机器发送大量不需要的消息和数据,压倒他们并有希望关闭他们——这被称为分布式拒绝服务攻击(DDoS)。对“不可靠”的服务感到沮丧的毫无戒心的顾客很容易成为偷猎的目标。
2016年,贾和他在网上遇到的两个《我的世界》朋友决定让他的对手做得更好。他们不仅入侵了台式电脑,还入侵了无数的安全摄像头、无线路由器、数字录像机、家用电器和其他物联网设备。像崔天凯之前一样,Jha和他的朋友们编写了一个程序,扫描互联网来定位易受攻击的设备。但与崔不同,他们实际上在机器上植入了恶意软件并控制了它们。由于智能设备的激增,Jha的僵尸机器人军队增长得比他想象的要快——到第一天结束时,他已经征用了65000台设备;据估计,他的僵尸军队达到了60万人。
这次袭击以一部日本电视剧命名为“Mirai未来组合”(“未来”),威力如此之大,以至于贾不满足于打倒他的小《我的世界》对手。他还将这种新武器训练给了法国大型电信提供商OVH,该公司拥有一个受欢迎的工具,他的竞争对手依靠这个工具来抵御他的攻击。最终,警察注意到了。贾被罚款860万美元,并为联邦调查局工作了2500小时的社区服务。
现年36岁的崔天凯是红气球安全公司的创始人兼首席执行官,他经常穿着t恤、珠子项链和男士发髻在黑客会议上发表演讲,并以建议公司如何在充满敌意的网络世界中保护自己为生。他仍然感到惊讶的是,在修补他的论文中发现的漏洞以及他认为可能会造成更大损害的其他漏洞方面,所做的工作太少了。虽然为Mirai未来组合袭击中的目标公司等资金雄厚的大型公司提供服务的安全公司已经想出了新的方法来保护客户端服务器免受分布式拒绝服务攻击,但许多物联网设备制造商几乎没有采取任何措施来保护我们其他人免受网络危害——不仅仅是僵尸设备征兵,还有间谍活动、破坏和利用,安全专家认为这些行为应该引起严重的隐私和安全问题。
崔天凯认为,造成这种忽视的原因是在蓬勃发展的物联网设备业务中抢占市场份额的淘金心态。在过去的五年里,物联网的宣传变得如此火爆,以至于消费者设备领域的许多风投资助的初创企业——甚至一些主要制造商——都在增加互联网连接,将他们的产品推向市场,并决心在以后修复任何安全漏洞。有些人甚至根本没有考虑过安全性。崔说:“你必须投入时间和资源来关心安全。”。“但风险投资资金很多,他们想很快推出一款他们认为市场可能会喜欢的具有物联网功能的产品。”
这笔钱主要用于开发新设备。“目前的问题是,真的没有安全激励,”卡德尼亚斯告诉《新闻周刊》。"安全性通常是这些产品的次要考虑因素."大多数消费者没有意识到危险,也没有要求保护。设备制造商没有义务提供它。
在佐治亚理工学院的一个实验室里,电气和计算机工程学院的副教授马诺·安东尼卡基斯和研究科学家奥马尔·阿尔拉维也一直在探索新兴物联网日益扩大的安全漏洞。安东尼卡基斯指出,尽管有一类知名供应商“至少在某些情况下试图获得安全保障”,但即使是大型制造商也面临着将新的物联网产品推向当前市场的压力。“需要大量的质量保证和测试,以及渗透分析和脆弱性分析来使它正确,”他说。但是对市场的抢购“与已被证实的安全措施产生了激烈的分歧”
许多最大的科技公司已经投入巨资开发“智能家居”设备市场,这是物联网设备发展最快的领域之一。亚马逊是智能集线器市场的主导者之一,谷歌在2014年以32亿美元收购了数字恒温器制造商Nest。此后,谷歌将其扩展为一个数字中心,其中还包括烟雾探测器和智能门铃和锁等安全系统。三星拥有智能物品中心,2014年以2亿美元收购,现在连接到空调、洗衣机和电视。苹果公司有一套家用套件,可以通过在HomePod范围内传送的语音命令控制任意数量的设备。
亚马逊服务部门的戴夫·莱姆在2018年推出了回声点。
漏洞百出
一旦安装了这些系统,越来越多公司的设备就可以添加到家庭网络中,包括通用电气、博世和霍尼韦尔等知名家电制造商生产的设备。贝尔金制造了一系列相连的电器,包括瓦罐式WeMo智能慢炖锅、智能咖啡机和智能家用加湿器。有很多钱要赚。据物业管理咨询公司iProperty Management称,截至2019年底,过去12个月销售的近20亿台消费类设备将获得超过4900亿美元的利润。
为了引起人们对危险的关注——以及消费者在购买新的物联网产品时应该询问的问题——安东尼卡基斯和阿尔拉维与教堂山北卡罗莱纳大学的研究人员合作,开发了一个评级系统,并开始评估各种物联网设备的安全性。令人惊讶的是,他们甚至在一些最精通技术的公司生产的设备和系统中发现了漏洞。
他们认为,物联网设备的漏洞远远超出了密码保护的漏洞,即Mirai未来组合攻击暴露的漏洞。物联网设备也可以通过它们所连接的家庭网络直接访问和接管,而家庭网络的强度与其最薄弱的环节一样大。这意味着即使每台设备都有唯一的密码和用户名,也不一定安全。一旦黑客通过一个易受攻击的设备找到进入家庭网络的方法,这条路径通常对网络的其他部分是敞开的。
他们认为,为了保护物联网设备,制造商需要修补四个不同领域的漏洞:直接访问设备本身、运行设备的移动应用程序、与家庭网络的通信方式,以及在许多情况下制造商用来推出更新、收集用户数据或提供新服务的基于云的服务器。
做好这一切并不容易。Alrawi指出,对于一个确保所有四个部分安全的供应商来说,它需要一个好的移动应用开发团队“知道安全开发”,“一个做得非常好的嵌入式系统开发和安全开发的系统团队”以及云专家,他们能够设计一个安全的云“后端”,允许在不增加设备风险的情况下对其进行管理。最后,设备制造商需要一个具备网络知识的人,知道如何构建高效、安全的互联网协议以及应该避免哪些协议。
“他们必须在所有这些和可用性之间取得平衡,”他说,“所以你可以看到,仅仅从精神上来说,这已经变得很难管理了。当一个提出这一伟大想法的创业团队想要将产品推向市场时,他们通常是一个不具备所有专业知识的小团队。但即使是大供应商,其中一些问题也很难确定和管理。”
事实上,虽然安东尼卡基斯、阿尔拉维和他们的团队对主流产品如亚马逊回声和贝尔金网络摄像头的设备安全性给予了相对较高的分数,但他们对网络安全性给予了Cs、Ds和Fs——衡量这些设备如何免受通过其他易受攻击设备访问家庭无线网络的入侵者的攻击。虽然许多与谷歌智能家居产品嵌套相关的设备(如恒温器、烟雾探测器、智能锁和门铃)在设备和网络安全方面获得了As和Bs,但它们在移动和云保护方面获得了Cs和Ds——这意味着一个足智多谋的黑客想要打开前门,仍然可以进入一个家庭。
云类别是最令人担忧的。由于这些服务中有许多是基于云的,并且连接到中央公司的服务器上,如果一个坚定的、资金充足的黑客——比如中国、朝鲜或俄罗斯——使用他们曾经绕过传统计算机互联网安全的那种复杂的攻击手段,他们可能会做什么就无从知晓了。
崔说:“你说的是进入潜在的数百万人的家,当这种情况发生时,想想你家周围所有的麦克风、摄像机和执行器,然后用这些东西的所有人把它们相乘”。
阿尔拉维补充道:“许多消费者并不完全理解在家中安装这些设备的风险”。
在此之前,情况不太可能改变。许多专家想知道在那之前我们要付出多大的代价。“真是一团糟,”大卫·肯尼迪说,他是一名网络安全专家,为众多制造商设计安全性,并在国会就物联网作证。“一塌糊涂。我们对此非常盲目,没有就其对我们的生活和安全的影响进行过多的安全讨论。”
肯尼迪目前的头衔是TrustedSec公司的首席执行官,多年来他一直侵入自己的设备份额以表明自己的观点,包括智能电视、恒温器、智能冰箱、机器人房屋清洁器和连接到能源网的控制器。但肯尼迪目前最大的担忧是汽车安全领域。
已经有一些警示性的故事了。2015年,菲亚特克莱斯勒公司(Fiat Chrysler)不得不发布影响美国140万辆汽车的安全召回令,以便修补软件漏洞。此前,两名安全研究人员侵入了一辆载有杂志记者的吉普切诺基(Jeep Cherokee)的互联网娱乐系统,控制了汽车,炸毁了收音机和空调,然后在高速公路中间造成交通瘫痪。
肯尼迪说,问题是大多数汽车都有许多不同的技术,其中许多都直接连接到互联网,以便传输预防性维护所需的数据。但是,这些不同物联网设备的制造往往被分包给数十家不同的承包商,这使得在发现新的安全漏洞时很难提供安全更新和补丁。(他指出特斯拉是一个主要的例外,因为他认为,它“首先是软件制造商,其次是汽车制造商”,因此知道如何构建安全系统。)
定期推出预防性安全更新来修补物联网汽车中新发现的漏洞——这是微软视窗和苹果手机等产品的标准做法——的想法是新的,尚未纳入汽车行业。“我不能说我为哪些汽车制造商做过评估工作,但我可以告诉你,我为其中一些制造商工作过,安全实践需要很多工作,”他说。“他们没有把补丁推出汽车,这使得汽车极易受到特定攻击——从偷听你的汽车到把它们开出马路,无所不包。”
在线入侵黑客可以闯入汽车或家中的一个设备,并从那里进入整个网络。许多玩具现在都与互联网相连。
噩梦般的场景是大规模车队接管,一个坏演员在世界各地开不同的车,造成大规模混乱。肯尼迪说:“毫无疑问,这些互联汽车现在肯定有可能做到这一点。”。“有些人会失去生命,最终他们会下意识地修复整个行业。我认为这是改变汽车制造商心态所需要的。”
一些司法管辖区的立法者开始涉足物联网监管的黑暗领域。今年1月,加州将成为第一个实施物联网安全法的州。该法案于2018年通过,截止日期为2020年1月,将要求制造互联设备的公司为其配备“合理的安全功能”,明确要求每台设备都必须有唯一的密码,或者要求用户在首次使用物联网设备之前生成一个密码,目的是修补在Mirai未来组合漏洞和随后的模仿攻击中如此成功利用的漏洞。然而,除此之外,该法律似乎是有意含糊其辞,为未来国家的进一步指导留有余地。
网络安全专家呼吁美国联邦政府介入监管该行业。美国众议院去年3月连续第三次提出一项法案,要求美国商务部国家标准与技术研究所(NIST)为物联网设备制定推荐标准,并指派管理和预算办公室(OMB)向符合NIST要求的机构发布指南。该法律还要求NIST就漏洞披露和物联网网络安全威胁报告提供指导。
物联网网络安全部门的凯特琳娜·梅格斯·NIST项目经理说,两年半前,NIST启动了一个研究这个问题的项目,去年夏天,该项目就任何具备互联网功能的设备都应该提供的一套自愿的最低“基线”安全功能征求公众意见,无论是面向消费者、企业还是联邦机构。
其中,每台设备都必须有一个唯一的号码或标识符,并显示在网络上,这样就可以很容易地快速定位并排除任何问题的根源,这是许多物联网设备目前无法提供的功能。其他功能将通过安全的用户身份验证方法来管理对每个设备的访问;通过加密来保护数据;并提供安全更新和记录网络事件,以便调查人员能够跟踪问题是如何发展的。
很少有专家幻想这些措施会很快解决这个问题。这些标准是自愿的。即使国会颁布法律规定安全标准,一个深刻的安全漏洞仍然存在:用户本身。
“不管你的系统有多强大,它只和你最薄弱的环节一样强大——而最薄弱的环节总是人,”领先的网络安全公司卡萨巴安全公司的联合创始人杰森·格拉斯伯格说。“最大的漏洞、最大的攻击大部分不是因为一些超级重大的技术攻击。那是因为有人被骗放弃了他们的证书。他们被骗点击了一个安装了恶意软件或要求他们提供密码的链接。在物联网世界里,它当然不会改变。
We're Surrounded by Billions of Internet-connected Devices. Can We Trust Them?
In 2009, just as consumers had begun to buy wifi-enabled thermostats and front-door cams and other early devices that now make up the "Internet of Things," computer scientist Ang Cui had gotten the idea to scan the Web for "trivially vulnerable" embedded devices.
By trivial, he meant those devices that still carried the usernames and passcodes programmed into them at the factory—obvious usernames like "name" and passcodes like "1234." Many of these codes were published in manuals available freely on the internet and easily scanned automatically with computer programs, so there was no need even to guess.
When he did his scan, Cui found more than one million vulnerable, publicly accessible devices in 144 countries. From this sample, he estimated that about 13 percent of all devices connected to the internet were essentially unlocked doors, waiting for a hacker to walk through. Even more alarming, four months later 96 percent of those devices had the same security holes.
Cui's warning was no less terrifying for its deadpan delivery: "Widely deployed and often misconfigured, embedded network devices constitute highly attractive targets for exploitation."
In the decade since, the number of vulnerable devices connected to the internet has increased sevenfold. The explosion comes from growing demand, fueled by hype, for smart devices. Manufacturers are now tripping over themselves to embed just about every ordinary object, it seems, with tiny computers that happily communicate wirelessly with the world around them. In this "smart" revolution, virtually any device with an on/off switch or up/down button can be controlled remotely with a cellphone or voice sensor. Do you want to turn up the heat, dim the lights and run the dryer without getting up off the sofa—simply by uttering your desire to an Amazon Echo? Do you want your toaster to send a message to the television when the bagel has popped? Do you want your oven to inform you that the casserole has cooked for the prescribed 20 minutes at 350 degrees and is now cooling in the kitchen at 200? The Internet of Things can make all such things happen.
There's a dark side to this wireless-driven revolution in convenience. The danger goes beyond hacking. Unlike the traditional "Internet of Computers," which is confined to a circumscribed digital "virtual" world, the Internet of Things has a direct connection to the physical one. That opens up a disturbing set of questions: What might happen if the computers inside our new-fangled toaster ovens, security cameras or smart cities were turned against us? Can we really trust the Internet of Things? Most cybersecurity experts are unequivocal in their answer to that last question. "No," says Ben Levine, senior director, product management, cryptography at Rambus, a Sunnyvale-based technology company, specializing in the performance and protection of data. "My short answer, right now, is 'no'."
Unlike the "Internet of Computers," which has been created largely by technicians with a background in information technology or computer science, many manufacturers making the devices now lack the expertise necessary to build airtight systems. Some don't realize the importance of doing so. As a result, the possibilities for mischief seem endless—a fact Cui and other cybersecurity mavens have demonstrated on multiple occasions.
Is your vibrator cheating on you?
Some of the more creative of these exploits in recent months come from the lab of Alvaro Cardenas, who challenged his students at the University of Texas at Dallas last year to crack a wide array of IoT devices. Among other things, they managed to turn on and hijack a drone and demonstrate they could use it to attack an innocent victim, Kamikaze-style, or to stream video and audio of a neighbor. They hacked into a popular children's toy—a small, talking dinosaur networked to the internet so it could receive updates. Then they demonstrated they could take over the toy and use it to insult the child, instigate inappropriate conversations (using the trusted voice of the toy) or tell the child what to do. They showed they could take control of internet-connected cameras to spy on households. They even identified the existence of "sensitive devices"—vibrators—sometimes used by overseas military personnel to have remote virtual relations with their partners. Not only were they able to obtain private usage information, they warned it was possible to impersonate a "trusted partner" and "commit remote sexual assault."
Cardenas reported their findings to device manufacturers and the CERT Coordination Center, a federally funded non-profit R & D group that works with business and government to improve the security of the internet. Then he submitted a paper to IEEE, a professional association for electronic engineering and electrical engineering, which published their findings in a special issue this fall.
"These attacks show how IoT technologies are challenging our cultural assumptions about security and privacy and will hopefully motivate more emphasis on the security and privacy practices of IoT developers and designers," they wrote. (After the paper was published, all the manufacturers responded and attempted to fix the vulnerabilities, except for the drone companies).
Force multiplier
The Mirai attack of 2016 showed how vulnerable the Internet of Things can be to hacking. It started as a Distributed Denial of Service attack on small-time servers used for playing the video game Minecraft.
By the end of 2018, more than 23 billion IoT devices had been installed globally. Many consumers buying these smart devices currently don't bother to hook them up to their WiFi, which means they're essentially offline and out of reach of hackers. But that may change as manufacturers continue to tout the benefits of connectivity. And the number of devices is expected to more than triple, to 75 billion, by 2025.
The sheer number of vulnerable devices gives hackers powerful leverage. The Mirai attack of 2016, which may have been inspired by Cui's original paper, illustrates how dangerous the threat has grown. Paras Jha, a quiet, socially awkward college dropout from New Jersey, ran a lucrative business renting space on his own private computer server to fellow aficionados of the video-game Minecraft, so they could play privately with their friends. It sounds pleasant, but the business is cutthroat. A common tactic of Jha and his rivals was to hack into the home computers of unsuspecting people, hijack them with malware and instruct them to send torrents of unwanted messages and data to the machines of their rivals, overwhelming them and hopefully shutting them down—known as a Distributed Denial of Service Attack (DDoS). Unsuspecting customers, frustrated by the "unreliable" service, were then easy targets for poaching.
In 2016, Jha and two Minecraft friends he'd met online decided to do his rivals one better. They hacked not only desktop computers but also the myriad security cameras, wireless routers, digital video recorders, household appliances and other IoT devices. Like Cui before him, Jha and his friends wrote a program that scanned the internet to locate vulnerable devices. But unlike Cui, they actually planted malware on the machine and took control of them. Leveraged by the proliferation of smart devices, Jha's zombie bot army grew faster than he could have imagined--by the end of the first day, he had appropriated 65,000 devices; by some estimates his zombie army reached 600,000.
The attack, nicknamed "Mirai" ("the future") after a Japanese television series, was so powerful that Jha wasn't content with taking down his small-fry Minecraft rivals. He also trained the new weapon on the huge French telecom provider OVH, which hosted a popular tool that his rivals relied on to defend themselves against his attacks. Eventually, the cops took notice. Jha was fined $8.6 million and 2,500 hours of community service working for the FBI.
Cui, now the 36-year-old founder and CEO of Red Balloon Security, often gives talks at hacker conferences wearing a tee-shirt, a bead necklace, and a man bun and makes a good living advising companies how to protect themselves in a hostile cyber-world. He continues to marvel at how little has been done to patch not just the vulnerability his paper identified but also many others that he believes could arguably cause even more damage. While the security firms serving large well-financed companies like those targeted in the Mirai attacks have come up with new ways to defend client servers against DDoS attacks, many manufacturers of IoT devices are doing little if anything to protect the rest of us from cyber mischief—not just zombie device conscription, but also spying, sabotage and exploits that security experts argue should raise profound privacy and safety concerns.
What accounts for the neglect, Cui believes, is a gold-rush mentality to grab market share in the burgeoning IoT device business. Over the last five years, the hype over IoT has become so hot that many VC-funded startups in the consumer-device field—and even some major manufacturers—are adding internet connectivity, rushing their products to market, and resolving to fix any security flaws later. Some haven't even thought about security at all. "You have to put in the time and resources to care about security," says Cui. "But there's a lot of VC money, and they want to very quickly roll out a thing that has an IoT feature that they think the market might like."
The money is primarily spent to develop new devices. "The problem at the moment is that there's really no incentive for security," Cardenas told Newsweek. "Security usually gets in the back burner of these products." Most consumers aren't aware of the dangers and aren't demanding protection. And the device manufacturers are under no obligation to provide it.
In a lab at the Georgia Institute of Technology, Manos Antonakakis, an associate professor in the school of electrical and computer engineering, and research scientist Omar Alrawi, have also been probing the gaping security vulnerabilities of the emerging IoT. Antonakakis notes that while there's a class of well-known vendors that "at least try to get the security right in some cases," even large manufacturers are under pressure to rush new IoT products onto the current market. "It takes a lot of quality assurance and testing, and penetration analysis and vulnerability analysis to get it right," he says. But the rush to market "comes into violent disagreements with proven security practices."
Many of the largest tech companies have invested heavily in tapping into the market for "smart home" devices, one of the fastest growing areas for IoT devices. Amazon is among those dominating the market for smart hubs, along with Google, which purchased the digital thermostat maker Nest in 2014 for $3.2 billion. Google has since expanded it to become a digital hub that also includes smoke detectors and security systems like smart doorbells and locks. Samsung has the SmartThings hub, which it acquired in 2014 for $200 million, and now connects to air conditioners, washers and TVs. Apple has a home kit which can control any number of devices through voice commands delivered in range of its HomePod.
Dave Limp, of Amazon sdevices and services, introduces the Echo Dot in 2018.
Once these systems are installed, devices from a growing number of companies can be added to the home network, including those made by well-known home appliance manufacturers like GE, Bosch and Honeywell. Belkin makes a line of connected appliances that includes a Crock-Pot WeMo Smart Slow Cooker, smart Mr. Coffee maker and a smart home humidifier. There's a lot of money to be made. All told by the end of 2019, more than $490 billion in profits will have been earned on the nearly 2 billion consumer devices sold over the previous 12 months, according to the property management consulting firm iProperty Management.
To try to draw attention to the dangers—and the things consumers should be asking questions about when buying new IoT products—Antonakakis and Alrawi, in collaboration with researchers at the University of North Carolina at Chapel Hill, have developed a rating system and begun evaluating the security of a wide array of IoT devices. And surprisingly they found gaping vulnerabilities in devices and systems produced by even some of the most tech-savvy companies.
The vulnerability of IoT devices goes well beyond holes in password protection, the vulnerability exposed by the Mirai attack, they argue. IoT devices can also be accessed and taken over directly through the home network they are connected to, and that home network is only as strong as its weakest link. That means that even if each device comes with a unique password and username, it's not necessarily secure. Once hackers find a way onto the home network through one vulnerable device, the path is often wide open to the rest of the network.
To secure an IoT device, they argue, manufacturers need to patch vulnerabilities in four different areas : direct access to the device itself, the mobile app used to run it, the way it communicates with its home network and, in many cases, the cloud-based server that manufacturers use to push out updates, collect user data, or provide new services.
Getting all that right is not easy. For a vendor to secure all four parts, Alrawi notes, it needs a good mobile-app developing team "that knows secure development," a "system team that does very good embedded system development and secure development" and cloud experts who can design a secure cloud "backend" that allows the device to be managed without exposing it to additional risk. Finally, the device manufacturers need somebody who has network knowledge on how to build efficient and secure internet protocols and what protocols to avoid.
"They have to balance all this with usability," he says "So you can see that this is already getting really hard to manage just mentally. When a startup team that comes up with this great idea wants to push a product to market, they're usually a small team that doesn't have all this expertise. But even with big vendors, some of these problems are really hard to pin down and manage."
Indeed, while Antonakakis, Alrawi and their team give relatively high marks for device security to the mainstream products like the Amazon Echo and the Belkin Netcam, they gave them Cs, Ds, and Fs for network security—a measure of how protected these devices are from intruders who manage to access the home wireless network through other vulnerable devices. And while a number of devices associated with Google's Nest smart home products (like thermostats, smoke detectors, smart locks and doorbells) receive As and Bs for device and network security, they got Cs and Ds for mobile and cloud protections—meaning a resourceful hacker intent on say, unlocking the front door, could still access a home.
The cloud category is the most worrisome. Since many of these services are cloud based and connected to central company servers, if a determined, well-financed hacker—say, China, North Korea or Russia—were to use the same kind of sophisticated exploits they have used to bypass security on the traditional internet of computers, there's no telling what they might do.
"You're talking about getting access to potentially millions of people's homes, and when that happens, think about all of the microphones and cameras and actuators that you have around your house, and multiply that out by all the people who use these things," Cui says.
"Many consumers don't fully understand the risks associated with installing some of these devices in their homes," adds Alrawi.
Until they do, the situation is unlikely to change. Many experts wonder how big a price we will have to pay before that happens. "It's a mess," says David Kennedy, a cybersecurity expert who designs security for a wide array of manufacturers and has testified before Congress on the IoT. "An absolute mess. We're going into this very blind, without a lot of security discussions around what the impacts are going to be to our lives and to our safety."
Kennedy, whose current title is CEO of the company TrustedSec, has hacked into his share of devices over the years to make a point, including smart TVs, thermostats, smart fridges, robotic house cleaners and controllers that are connected to the energy grid. But Kennedy's biggest concern at the moment is in the area of automotive safety.
There have already been some cautionary tales. In 2015, Fiat Chrysler had to issue a safety recall affecting 1.4 million vehicles in the United States so it could patch software vulnerabilities, after two security researchers hacked into the internet-connected entertainment system of a Jeep Cherokee carrying a magazine reporter, took control of the vehicle, blasted the radio and AC, then brought traffic to a standstill in the middle of a freeway.
The problem, says Kennedy, is that most cars have scores of different pieces of technology in them, many of which are connected directly to the internet to allow them to transmit data needed for preventive maintenance. But the manufacture of these different IoT devices is often subcontracted out to scores of different contractors, which makes it logistically difficult to provide security updates and patches when new security vulnerabilities are discovered. (He pointed to Tesla as the major exception because, he argues, it is "a software manufacturer first and car manufacturer second," and thus knows how to build secure systems.)
The idea of regularly pushing out preventive security updates to patch newly discovered vulnerabilities in IoT-networked cars—a standard practice for products like Microsoft windows and the Apple iPhone—is new and has not yet been incorporated into the automotive industry. "I can't talk about which car manufacturers I've done assessment work for, but I can tell you that I've worked for a number of them, and security practices need a lot of work," he says. "They're not pushing patches out to the cars, which makes them extremely vulnerable to specific attacks—everything from eavesdropping in your car to driving them off the road."
Online Break-ins Hackers could break into one device on a car or in a home and from there gain access to an entire network. Many toys are now linked to the internet.
The nightmare scenario is a mass fleet takeover, where a bad actor hacks different cars across the world to cause mass mayhem. "That's definitely something that's possible now with these interconnected cars, no question about it," Kennedy says. "Someone will lose their life and then eventually they'll kind of knee jerk into fixing the whole industry. I think that's what it will take to change the mentality of car manufacturers."
Lawmakers in some jurisdictions are beginning to wade into the murky waters of IoT regulation. In January, California will become the first state to implement an IoT security law. The bill, passed in 2018 with a January 2020 deadline, will require companies that make connected devices to equip them with "reasonable security features," explicitly requiring that each device come with either a unique passcode or require the user to generate one before using the IoT device for the first time—taking aim at patching the vulnerability exploited so successfully in the Mirai exploit and the copycat attacks that have followed. Beyond that, however, the law seems to have been written to be purposely vague, allowing room for further state guidance in the future.
Cybersecurity experts have called on the Federal government in the U.S. to step in to regulate the industry. The U.S. House of Representatives last March introduced a bill, for the third session in a row, that would require the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce to develop recommended standards for IoT devices, and would assign the Office of Management and Budget (OMB ) the task of issuing guidance to agencies that aligns with NIST's requirements. The law would also require NIST to offer guidance on vulnerability disclosure and report on IoT cybersecurity threats.
Two and half years ago, NIST started a program to look at the issue and this past summer solicited public comment on a voluntary set of minimum "baseline" security functions that any internet capable device should offer, whether it is intended for consumers, businesses or federal agencies, says Katerina "Kat" Megas NIST program manager, Cybersecurity for Internet of Things.
Among them, every single device must have a unique number or identifier associated with it that shows up on the network, which would make it easy to locate quickly and unplug the source of any problems that arise—a feature that many IoT devices currently do not offer. Other features would manage access to each device through secure methods of user authentication; protect data by encrypting it; and provide secure updates and log cyber-events so investigators can track how problems develop.
Few experts have illusions these measures will solve the problem soon. The standards would be voluntary. And even if Congress were to enact laws mandating security standards, a profound security vulnerability would remain: users themselves.
"No matter how strong your system is, it's only as strong as your weakest link—and the weakest link is always the human," says Jason Glassberg, cofounder of Casaba Security, a leading cybersecurity firm. "The largest breaches, the largest attacks for the most part have not been because of some super significantly technical attack. It's been because someone's been fooled into giving up their credentials. They've been fooled into clicking on a link which installed malware or asked them to provide their password. And it certainly doesn't change in the Internet of Things world.
