IOT Gone Wrong
Written by Benjamin Friedman, October 28th, 2016
IOT devices are everywhere. From DVRs to remote cameras to doggy treat dispensers. It's hard not to buy something that isn't IOT enabled nowadays. However, with all the good it has done there are significant concerns with the plethora of IOT devices online. Before you go buy that new camera, or treat dispenser, we'd like to give you a quick overview of what you should be looking for and how you can protect yourself.
For starters, IOT (Internet of Things) enabled devices are at the core networkable devices. They can connect to your WiFi same as you computer or phone can. In this regard, they are just as capable as your phone or computer. Many of these devices may not seem that complex, but most are complete with their own operating system and can be leveraged like any computer. This means convenience for both developers and users, where IOT devices are higly compatible with each other and just about any other networkable devices. This convenience, to no surprise, also comes at great risk when exposed to internet.image credit Lazur URH @ openclipart
Similar to hacking your computer (or your phone) compromising an IOT device can be easier that it should be. Case in point Mirai recently came in the public eye as a botnet primarily composed of IOT enabled devices. If that isn't concerning enough, the method by which it infected these devices should be, default usernames and passwords. That's right, some of the devices you may have bought, that you connected to your network and that may even open additional ports to allow traffic into your network have publicly known usernames and passwords.
In terms of security, this is staggering. The entire concept of securing a system is rendered, well, incapable when the very keys to the system are well known. Looking through Mirai's source code I have verified this personally, and as simplistic as the root of the problem may be, it's deeply troubling. Do the vendors who provide these devices to us knowingly leave these issues unfixed on shipping them out, simply citing cost benefits? Were they even aware of the problem to begin with as well? There are far too many questions and not enough answers as to why this ever happened in the first place. Quite frankly, and I believe most others will share this opinion, there's just no excuse for this kind of issue.
Distributing systems into the homes of others should be done so with the utmost care. It is my hope that with these recent discoveries increased regulation will come into play. It would be far safer to ensure a minimum standard which these devices must adhere to. Simply ignoring the issue doesn't help anyone. A compromised device on your network isn't just something that can be used as a cyber weapon, such as in the recent DDOS against Dyn, but can also be used to further infiltrate your home or work network. Having a dirty device on your network is akin to having a mole in your organization, someone close to you who could potentially manipulate others or steal information (credit cards anyone?).
Although there are more than a fair share of concerns to address, there is only so much that can be done. With that said, what can be done? In regards to Mirai specifically, it spreads across Telnet (port 23) in the publicly released source code. Individual hackers could alter this to easily target another service or port, but the point with Telnet is that's where the access point for most unsecured IOT devices lies. One of the easiest way to mitigate an attempt to access this port is to ensure it cannot be reached remotely. If you have a firewall on your network you should ensure port 23 is closed or is not being forwarded to your device (unless you have a specific reason to do so and know and are willing to accept any implications). Forwarding, or port forwarding, is the process of mapping a port (or NAT) on a device to another. This basically forwards traffic from your router to your device and back, in a sense think of it like a relay. Disabling port forwarding altogether will nullify this process, and may prevent unwanted intrusions.
Additionally UPnP, or Universal Plug and Play is another issue you can address to help tighten up your network. Disabling this can prevent devices on your network from discovering other devices and establishing connections arbitrarily. When this is enabled it doesn't necessarily put you at risk, but it could be exploited by something as simple as this on github.
Ultimately you should seriously vet the devices you're about to purchase before doing so. If possible look up any reviews regarding known issues of a device or of any perceived ones. When people continually mention concern over a glaring issue, it's best to avoid purchasing it altogether.
With all this in mind we still believe IOT devices are fantastic, when properly put together. Upon purchasing your own IOT device we encourage you to investigate! Learn what you can about it and know how to protect your purchase, not only for yourself but for the sake of others.
Questions? Corrections? Concerns? Contact us at firstname.lastname@example.org