The Internet of Things Is Wildly Insecure — And Often Unpatchable

It is expected that Internet of Things use is expanding quickly. But what about their security? I strongly encourage to read article The Internet of Things Is Wildly Insecure — And Often Unpatchable by well known security expert Bruce Schneier. It says that we’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.

The article comments following things on the cheap routers, but I see those facts apply pretty much to many IoT products as well: Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping. The system manufacturers don’t do a lot of engineering, either.

The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. And the software is old, even when the device is new. To make matters worse, it’s often impossible to patch the software or upgrade the components to the latest version. Even when a patch is possible, it’s rarely applied. This is only the beginning. All it will take is some easy-to-use hacker tools for the script kiddies to get into the game.

16 Comments

  1. Robert_key says:

    I totally agree with the points you made nice post

    Reply
  2. supplements that work says:

    Magnificent website. Lots of useful information
    here. I’m sending it to several friends ans also sharing in delicious.
    And naturally, thank you on your effort!

    Reply
  3. Tomi Engdahl says:

    Smart TVs, smart fridges, smart washing machines? Disaster waiting to happen
    Op-ed: Hardware companies are generally bad at writing software—and bad at updating it.
    http://arstechnica.com/gadgets/2014/01/smart-tvs-smart-fridges-smart-washing-machines-disaster-waiting-to-happen/

    If you believe what the likes of LG and Samsung have been promoting this week at CES, everything will soon be smart. We’ll be able to send messages to our washing machines, run apps on our fridges, and have TVs as powerful as computers. It may be too late to resist this movement, with smart TVs already firmly entrenched in the mid-to-high end market, but resist it we should. That’s because the “Internet of things” stands a really good chance of turning into the “Internet of unmaintained, insecure, and dangerously hackable things.”

    These devices will inevitably be abandoned by their manufacturers, and the result will be lots of “smart” functionality—fridges that know what we buy and when, TVs that know what shows we watch—all connected to the Internet 24/7, all completely insecure.

    Even if we assume that these devices ship with no known flaws—a questionable assumption in and of itself if SOHO routers are anything to judge by—a few months or years down the line, that will no longer be the case. Flaws and insecurities will be uncovered, and the software components of these smart devices will need to be updated to address those problems. They’ll need these updates for the lifetime of the device, too. Old software is routinely vulnerable to newly discovered flaws, so there’s no point in any reasonable timeframe at which it’s OK to stop updating the software.

    A history of non-existent updates

    Herein lies the problem, because if there’s one thing that companies like Samsung have demonstrated in the past, it’s a total unwillingness to provide a lifetime of software fixes and updates. Even smartphones, which are generally assumed to have a two-year lifecycle (with replacements driven by cheap or “free” contract-subsidized pricing), rarely receive updates for the full two years (Apple’s iPhone being the one notable exception).

    A typical smartphone bought today will remain useful and usable for at least three years, but its system software support will tend to dry up after just 18 months.

    Reply
  4. Tomi Engdahl says:

    Scans Increase for New Linksys Backdoor (32764/TCP)
    https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336

    We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access.

    TCP/32764 backdoor
    Or how linksys saved Christmas!
    https://github.com/elvanderb/TCP-32764/raw/master/backdoor_description_for_those_who_don-t_like_pptx.pdf

    Unkown service listening on TCP/32764
    •Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.

    Let’s get the firmware!

    So if you need an access to the admin panel….

    some codes and notes about the backdoor listening on TCP-32764 in linksys WAG200G.
    https://github.com/elvanderb/TCP-32764

    According to https://www.cert.fi/tietoturvanyt/2014/01/ttn201401031811.html the vulnerability can be found at following devices:
    Linksys: WAG54G2, WAG120N, WAG160N, WAG200G ,WAG320N
    Netgear:DM111Pv2, DGN1000 N150, DGN2000B, DGN3500, DG834G v2, DG834 v3.
    The service is open to LAN side, and on some devices also to WAN side.
    There is a tool available that allows to control the device, for example change password and reset device to factory settings.

    Reply
  5. Tomi Engdahl says:

    When Google closes the Nest deal, privacy issues for the internet of things will hit the big time
    http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/

    Summary:
    Google intends to buy a connected thermostat that knows when you’re home and where you are within it. Given Google’s quest to index all the world’s information, this deal should jumpstart the conversation about privacy and the internet of things.

    Google rocked the smart home market Monday with its intention to purchase connected home thermostat maker Nest for $3.2 billion, which will force a much-needed conversation about data privacy and security for the internet of things.

    It’s a conversation that has seemingly stalled as advocates for the connected home expound upon the benefits in convenience, energy efficiency and even the health of people who are collecting and connecting their data and devices together through a variety of gadgets and services. On the other side are hackers and security researchers who warn how easy some of the devices are to exploit — gaining control of data or even video streams about what’s going on in the home.

    But when a company like Google — which has had numerous run-ins over privacy in the U.S. and abroad — plans to buy a company that makes products equipped with motion detectors that track what’s happening inside the home, it’s time that conversation about privacy and the internet of things takes a step forward.

    More information:
    http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
    http://gigaom.com/2014/01/13/the-winners-and-losers-in-googles-acquisition-of-nest/
    http://investor.google.com/releases/2014/0113.html
    http://gigaom.com/2014/01/13/breaking-google-acquires-digital-device-maker-nest-for-3-2b/
    http://tech.slashdot.org/story/14/01/13/2256228/google-buys-home-automation-company-nest
    http://www.theregister.co.uk/2014/01/13/google_buys_smart_home_device_builder_nest_for_32_beeelion_in_cash/
    http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
    http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
    http://techcrunch.com/2014/01/13/nest-says-customer-data-from-devices-will-only-be-used-for-nest-products-and-services/
    https://nest.com/blog/2014/01/13/welcome-home/
    http://recode.net/2014/01/13/google-acquires-nest-for-3-2b/
    http://daringfireball.net/2014/01/googles_acquisition_of_nest
    http://www.wired.com/business/2014/01/google-nest-buy/
    http://www.theinquirer.net/inquirer/news/2322719/google-spends-usd32bn-feathering-its-nest
    http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=833:google-panostaa-kotiautomaatioon&catid=13&Itemid=101
    http://techcrunch.com/2014/01/13/nest-investors-strike-it-rich/?source=gravity
    http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
    http://www.mercurynews.com/business/ci_24834727/palo-altos-nest-labs-reportedly-raising-at-least
    http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351

    Reply
  6. Tomi Engdahl says:

    Proofpoint reveals ‘Internet of things’ cyberattack
    http://www.technologytell.com/hometech/103593/proofpoint-reveals-iot-cyberattack/

    Today Proofpoint, a security service provider, put out a press release that reveals a cyberattack coming from smart appliances–the first such documented Internet of Things (IoT) attack. More than 750,000 malicious emails were sent from 100,000+ compromised connected home appliances and gadgets, including routers, TVs, and a connected fridge. Considering that the market is flooded with such devices, it brings up some important security questions. Questions that the homeowner may not think to ask.

    Apparently, the attack was pretty easy to execute, with the hackers using default passwords that left the devices completely exposed. Unlike computers that either have built-in protection, like Macs, or protective software, the study exposed the great vulnerability that IoT devices have, with “virtually no way to detect or fix infections when they do occur.”

    Everything–from smart thermostats to security cameras to microwaves to smart TVs–is at risk. This is a huge blow to major manufacturers like Samsung, Bosch, LG, and others, who just launched major connected appliances for 2014.

    Reply
  7. Tomi Engdahl says:

    The IoT Impacts Manufacturing, Too
    http://www.designnews.com/author.asp?section_id=1365&doc_id=271065&

    There’s been a lot of discussion recently around the changing face of manufacturing, the forces causing that shift, and how those forces are leading to a world that’s smart and connected — what some refer to as the Internet of Things (IoT). As defined by McKinsey & Company, the “IoT is embedding sensors and actuators in machines and other physical objects to bring them into the connected world.”

    There are many ways that end-users and manufacturers alike can benefit from such a world. For example, the IoT lets businesses manage assets, optimize performance of those assets, and even create new business models from those same assets. But perhaps what’s most remarkable about this pervasive network of “things” is how much potential economic impact it carries.

    A recent McKinsey Global Institute report, “Disruptive technologies: Advances that will transform life, business, and the global economy,” estimates that by 2025, the economic impact of the IoT could be as much as $5 trillion to $7 trillion. A similar Gartner report is a bit more conservative, but still estimates a whopping $1.9 trillion worldwide economic value impact from the IoT by 2020.

    So where does that economic value come from? Certainly there are the cool IoT consumer use cases that everyone is familiar with.

    Industry experts agree that one industry sector poised to see great IoT impact is manufacturing. The first point of economic impact is in how products are manufactured. The “Industrial Internet” rapidly increases the complexity of creating ever smarter, connected products. By closing the loop between early-stage engineering design activities, production processes on the plant floor, and the service organization, manufacturers can reduce errors, increase flexibility in how they manage late-stage engineering changes, reduce work-in-process, and, ultimately, accelerate new product introductions with products they’ll hope can be financially successful.

    When you take it one step further though, that’s when things really start to get interesting. When you manufacture that smart, connected product, it can then give you back real-time data to help maintain and service it at optimal levels. Being able to maintain a product after the point of sale gives manufacturers a “digital umbilical cord,” which allows for remote visibility, where they can interact with products whenever and wherever.

    Imagine if your washing machine itself were the diagnostician, as opposed to having to schedule a service man to come to your house to determine the problem — and then hoping that he has the right part in his truck

    Today, all signs point to the value of the IoT. It’s here, it’s not going anywhere, and it has the potential for a multitrillion-dollar worldwide economic impact by giving manufacturers an opportunity to engage customers beyond the purchase, using service-based contracts to create a partnership built around product performance.

    Reply
  8. Tomi Engdahl says:

    When Google closes the Nest deal, privacy issues for the internet of things will hit the big time
    http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/

    Summary:
    Google intends to buy a connected thermostat that knows when you’re home and where you are within it. Given Google’s quest to index all the world’s information, this deal should jumpstart the conversation about privacy and the internet of things.

    Google rocked the smart home market Monday with its intention to purchase connected home thermostat maker Nest for $3.2 billion, which will force a much-needed conversation about data privacy and security for the internet of things.

    It’s a conversation that has seemingly stalled as advocates for the connected home expound upon the benefits in convenience, energy efficiency and even the health of people who are collecting and connecting their data and devices together through a variety of gadgets and services. On the other side are hackers and security researchers who warn how easy some of the devices are to exploit — gaining control of data or even video streams about what’s going on in the home.

    But when a company like Google — which has had numerous run-ins over privacy in the U.S. and abroad — plans to buy a company that makes products equipped with motion detectors that track what’s happening inside the home, it’s time that conversation about privacy and the internet of things takes a step forward.

    More information:
    http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
    http://gigaom.com/2014/01/13/the-winners-and-losers-in-googles-acquisition-of-nest/
    http://investor.google.com/releases/2014/0113.html
    http://gigaom.com/2014/01/13/breaking-google-acquires-digital-device-maker-nest-for-3-2b/
    http://tech.slashdot.org/story/14/01/13/2256228/google-buys-home-automation-company-nest
    http://www.theregister.co.uk/2014/01/13/google_buys_smart_home_device_builder_nest_for_32_beeelion_in_cash/
    http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
    http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
    http://techcrunch.com/2014/01/13/nest-says-customer-data-from-devices-will-only-be-used-for-nest-products-and-services/
    https://nest.com/blog/2014/01/13/welcome-home/
    http://recode.net/2014/01/13/google-acquires-nest-for-3-2b/
    http://daringfireball.net/2014/01/googles_acquisition_of_nest
    http://www.wired.com/business/2014/01/google-nest-buy/
    http://www.theinquirer.net/inquirer/news/2322719/google-spends-usd32bn-feathering-its-nest
    http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=833:google-panostaa-kotiautomaatioon&catid=13&Itemid=101
    http://techcrunch.com/2014/01/13/nest-investors-strike-it-rich/?source=gravity
    http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
    http://www.mercurynews.com/business/ci_24834727/palo-altos-nest-labs-reportedly-raising-at-least
    http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351

    Reply
  9. Tomi Engdahl says:

    Fridge sends spam emails as attack hits smart gadgets
    http://www.bbc.co.uk/news/technology-25780908

    A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets.

    The fridge was one of more than 100,000 devices used to take part in the spam campaign.

    Uncovered by security firm Proofpoint the attack compromised computers, home routers, media PCs and smart TV sets.

    The attack is believed to be one of the first to exploit the lax security on devices that are part of the “internet of things”.

    About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.

    Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.

    About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.

    Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.

    Many of these gadgets have computer processors onboard and act as a self-contained web server to handle communication and other sophisticated functions.

    Mr Knight speculated that the malware that allowed spam to be sent from these devices was able to install itself because many of the gadgets were poorly configured or used default passwords that left them exposed.

    Reply
  10. Tomi Engdahl says:

    As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.

    The internet of things, smart home monitoring, and thermostats you can adjust from the web … all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.

    I view the whole thing as a big “what did you expect?”.

    Source:
    http://it.slashdot.org/story/14/02/18/1756251/oops-security-holes-in-belkin-home-automation-gear

    Reply
  11. Tomi Engdahl says:

    Belkin patches WeMo bug
    Fixes available on AppStore, Google Play
    http://www.theregister.co.uk/2014/02/20/belkin_on_wemo_bug_get_the_patch/

    Belkin has published fixes for the flaws discovered by IOActive in its WeMo Home Automation system, and is urging users to download updated versions of its control apps from either the AppStore or Google Play.

    As discussed by The Register yesterday, the bugs opened a wide range of holes in the kit, including opportunities to spread malicious firmware and gain unauthorised access to the home automation products.

    Reply
  12. Tomi Engdahl says:

    Join the Challenge: Secure the Internet of Things
    http://blogs.cisco.com/security/join-the-challenge-secure-the-internet-of-things/

    We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live. This technology transformation is what we call the Internet of Things (IoT) – and it is evolving daily.

    With this in mind, Cisco is launching the Internet of Things Security Grand Challenge. We’re inviting you — the global security community — to propose practical security solutions across the markets being impacted daily by the IoT.

    the Challenge offers up to US$300,000 in prize money

    Reply
  13. Tomi Engdahl says:

    Cisco kicks off $300k Internet of Things security competition
    Borg wants an Internet of secure things and wants you to do the heavy thinking
    http://www.theregister.co.uk/2014/03/03/cisco_kicks_off_iot_security_comp/

    Anyone who watches the procession of SCADA vulnerabilities, the exposures discoverable through the Shodan search engine, or the recent bugs popping up in cars, routers, home automation and (maybe) smart appliances knows that the Internet of Things is a security minefield.

    participants have until June 17 2014 to put forward proposals for dealing with Internet of Things security

    Reply
  14. Tomi Engdahl says:

    Security for the ‘Internet of Things’ (Video)
    http://it.slashdot.org/story/14/03/26/1939203/security-for-the-internet-of-things-video

    What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you’re on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. – and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good.

    Reply
  15. Tomi Engdahl says:

    Hacking the D-Link DSP-W215 Smart Plug
    http://hackaday.com/2014/05/17/hacking-the-d-link-dsp-w215-smart-plug/

    The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

    The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server.

    Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks.

    Reply
  16. Tomi Engdahl says:

    Hacking the D-Link DSP-W215 Smart Plug
    http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/

    The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site.

    the DSP-W215 contains an unauthenticated stack overflow that can be exploited to take complete control of the device, and anything connected to its AC outlet.

    Being a SOAP-based protocol, HNAP is served up by a lighttpd server running on the smart plug,

    Controlling a wall outlet can have more serious implications however

    So, if you’ve left a space heater plugged in to the outlet and some nefarious person surreptitiously turns the outlet back on, you’re in for a bad day.

    Incidentally, D-Link’s DIR-505L travel router is also affected by this bug

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*