Extinguishing the IoT Insecurity Dumpster Fire

Will connected devices be insecure forever? Or will legislation – such as the recent UK mandate announced this week – help boost IoT security?

It’s no secret IoT security has been a dumpster fire.

Last week, it was reported two million IP security cameras, baby monitors and smart doorbells have serious IoT flaws with no known patches. The list, of course, is added to a long list of IoT nightmares that have been reported over the past five years and more.

What is the future of IoT security? Will consumers continue to face insecure technology, disturbing privacy concerns and DDoS attacks? Or will the efforts of consortiums, legislation and industry pressure help set connected device security straight?

The news is not all bad. The U.K. government just announced a new mandate with promising new requirements for IoT manufacturers. Those including improvements around unique device passwords and policies around security updates.

Threatpost sits down with Jason Soroko, chief technology officer of IoT at Sectigo to discuss IoT security.

Below is a lightly-edited transcription of the podcast.

Lindsey O’Donnell: Welcome to the Threatpost podcast. This is Lindsey O’Donnell with Threatpost here and I’m joined today with Jason Soroko with Sectigo, the chief technology officer of IoT. Hi, Jason, how are you doing today?

Jason Soroko: I’m doing really good, Lindsey. Thanks.

LO: Great. That’s always good to hear. We have an exciting podcast in the works today for all of our IoT security enthusiasts. We’re going to be talking about a recent P2P vulnerability discovered as well as the top threats facing connected devices and a new effort at regulating IoT security in the UK. But just to start, Jason, could you give us some background on yourself and kind of your familiarity and experience with IoT?

JS: Yeah, absolutely. I’m currently the CTO of IoT for six years ago. I’ve been around the PKI [public key infrastructure] industry for about two decades now, I previously worked on strong authentication systems, especially those that involve mobile devices. And I’ve been researching security around operational systems since about 2010, which is probably before the term IoT even existed. And I was part of an innovation team that specifically studied IoT and was looking at the business models behind IoT security since about 2014. So I’ve been around a little bit, looking at this specific space.

LO: That’s really interesting that you’ve been there and kind of seen this all play out for all those years because I do feel as though the term IoT has only recently come about. Connected systems have been around for a while and all the security issues that go along with that. Have you seen any sort of transformation over the time you’ve been working with IoT devices and the security there?

JS: Yeah, I think one of the important things that we’re seeing is people wanting to revert back to older terminology, which is not surprising. A lot of terminology such as industrial Internet of Things, that was perhaps created by consortiums or marketing type of folks. That seems to have fallen flat on people who actually work in operational systems, who prefer what they consider to be real terminology such as SCADA, or you know, just simply industrial control systems from a generic sense.

So, I think what you’re finding is that the real problem exists in verticals such as in the industrial space or automotive or healthcare, smart cities, those folks all have their own real needs and tough problems that they’re trying to solve. They’re more worried about uptime and reliability and safety, then say the enterprise IT business was for a long time. So I think that those industries are forcing the security industry to speak their own language is one of the big trends that I’m seeing right now.

LO: Yeah, that’s really interesting. And it also kind of goes to show how many different types of connected devices there are right now. I mean, obviously, we have this whole burst of consumer IoT. And then as you mentioned, there’s industrial IoT, which has those high type of risk if there is some sort of security issue there. So there really are all these different types of devices and along with those, different types of security implications.

JS: Right, exactly. Yeah. So there’s been a lot in the news recently, though, Lindsay, [like] your article recently about those 2 million deviceswith the plug and play technologies.

LO: Yeah, just last week, for listeners who are just joining there was some research that was released that found vulnerabilities in 2 million IoT devices. So that included IP cameras, baby monitors, smart doorbells. And the research found that there were flaws in these devices that could enable an attacker to hijack them and essentially spy on their owners. And there’s currently no known patch for this. There were a couple of things that really stuck out to me regarding this incident in terms of the disclosure and whatnot. But one thing that was interesting was that instead of kind of the more typical and maybe I don’t know, mundane issues we’re seeing with IoT devices like default passwords, etc. etc., This specific attack stemmed from peer to peer communication technology in all the IoT devices that were part of the research. So I mean, Jason, I’m curious what you’re seeing, from your perspective when it comes to P2P and what you’re seeing there in terms of IoT devices and how this tech is used and how widely adopted it is.

JS: Yeah there’s actually quite a lot to talk about here. Because this is a really good standard case for why we’re starting to see legislation, why we’re starting to see, you know, some sort of movement away from static credentials, or sometimes even no security whatsoever, which is the case in this particular plug and play technology or peer to peer technology. It wasn’t that long ago that we also heard about flaws within universal plug and play. I think one of the things we should mention here, first of all, is we’ve seen a lot of these types of issues before. This just happens to be the latest big one.

The difference between this one and some of the previous ones was this was actually discovered by a white hat vulnerability researcher. Some of the previous large issues, were found – so the botnets were essentially found, or the botnets that actually started to do things such as denial of service attack against Dyn, and some of the other internet properties that are out there. So this one was actually found by a researcher before it got turned into a large botnet, which is probably a positive thing.

The three aspects to this particular attack that you had written the article about, were not only did the devices not have any form of authentication whatsoever, but probably more disturbingly, there was also absolutely no encrypted communication session. So even if there was some username or password or symmetric token-type technology being used as an authentication mechanism, that information would have been sent over the clear anyway. I know that the articles that that have been written on this thing, have really sort of honed in on the fact that the devices were enumeratable, but that’s not that’s not rare. I mean, your devices are enumeratable on your router when you connect to your home network. That’s not a vulnerability. The fact that the devices have no authentication and no means to actually encrypt their communication at all – that’s the real problem. I think the enumeration topic becomes interesting only because you’re making life extremely easy for the bad guy who’s going to turn these devices into a botnet. That’s about all.

LO: Yeah, no, I definitely agree. Just for context, here, there were two vulnerabilities that were found. One was, as you mentioned, the enumeration vulnerability, which allowed attackers to discover these devices. The second was the authentication one you were mentioning, which, you know, obviously is more significant as it allows these remote attackers to intercept user-to-device traffic and cleartext so that would mean they can view video stream device credentials or whatnot. So it just it really does make you scratch your head and think it’s just too easy with some of these flaws that are inherent within these devices already. On your end how does this incident kind of compare with some of the other main issues that you’re currently seeing every day when it comes to IoT devices? How difficult would it be to kind of fix these types of issues on the manufacturers? And in this case, developer of the P2P solution?

JS: Sure. Let’s talk about the bright light for a moment. Some of the ways that this is being solved en mass, especially for consumer level devices are at the consortium level. So a lot of the the large manufacturers that are out there, come together and they agree upon security technologies that are going to be implemented in their devices. That the main reason these companies come together in consortium is for the purposes of interoperability, and secure interoperability at that. What’s really great is that typically at the heart of the standards, being developed by these consortium groups, is public key infrastructure (PKI), which basically means rather than using static credentials, such as a username or password, or a symmetric token, which is just a password by some other name, using actual X509 certificates on a device, to be able to do things such as strong mutual authentication, and TLS encrypted communication sessions, those are those are the kinds of things that is really a bright light throughout all risk levels of IoT technology, whether it’s consumer all the way up to you know, the critical infrastructure type controllers that we hear about some time. I think where we’re still seeing the positive-ity is at the consortium level currently.

LO: So how widely adopted right now are PKI types of solutions in the IoT industry? I mean, clearly there’s all these insecure devices at this point. Is there something that is stopping manufacturers from adopting solutions like this?

JS: I think one of the things that we’re seeing is that definitely in consumer, there’s a price sensitivity to them. If you start telling them about one penny per device as cost that they, they typically, you know, might balk at that. However, that that is changing with the advent of some of the consortiums in the larger companies that are out there that are getting together and making the switch towards PKI-based technology to secure their consumer based IoT devices. I would say that the automotive industry is leading the way; there are several standards such as TPM automotive thin wave, which IEEE 1609.2, even things like the electric car charging points which is ISO 15118, 15119; those are all PKI-based initiatives now that we’re starting to see in operational systems, automotive industrial control systems and now being pushed as well inside of standards such as those that are being created by consortium such as the Open Connectivity Foundation or OCF.

We’re starting to see PKI in a lot of places, which is a really positive sign.

LO: Yeah, I’m curious too when it comes to consumer devices. I mean, if you have the automotive industry and other industries looking at solutions, such as that one, do you think that the consumer market will follow in terms of IoT or do you think that will come from more of a push from consumers or an industry wide push or regulation? What do you think will happen there?

JS: Yeah, it’s such a good question. I think that what you’re starting to see in legislation, which might be pushing the way – the cost sensitivity and the economic impact of legislation is something that I think a lot of governments are very sensitive to. We saw the California legislation, which was a direct response to the Mirai botnet. Basically, the idea that vendors who wanted to sell IoT devices into that state government had to have some means to be able to change a default username password from the factory, which was a first step. I think the US federal legislation right now and IoT doesn’t specify too much at this point, except that there will be pillars of security that will be needing to be enforced that will be defined by NIST. One of those pillars is of course, identity based security, which is just a wink and a nod to say, listen, you should think about PKI. And now of course, we’re seeing, I think, just very recently, UK legislation, which is maybe just one step above the California legislation, and again, I believe is a reaction to the Mirai botnet.

That one is a bit wider in terms of its scope and saying any kind of device sold into the UK at all, needs to be able to have a changed username and password. I think that governments are stopping short of being very prescriptive in what they’re actually trying to legislate because they are afraid of economic impact. But I think that that’ll be a first step towards making IoT device vendors have to think about putting some kind of security technology into their devices, instead of it just being completely wide open, such as that peer to peer technology that we just saw.

I think a combination of lightly prescriptive legislation as well as what we’re seeing in the consortiums will, will probably bring us a lot further than we are today.

LO: Right. And it’s interesting that you mentioned the US IoT bill, because I remember when I wrote about that in September, it kind of got mixed reviews. I think people were saying, like you said, this is a great first step, but we need to go further. Whereas this more recent UK mandate that was announced this week, seems to focus on multiple aspects, not just the unique password aspect of it, but then also that manufacturers need to state a minimum length of time for when devices will receive security updates through their end of Life policy and some other aspects. I do think that it’s good to touch on. But there are a bunch of different kind of issues when it comes to security updates and some other aspects of it that, there’s a bunch of hoops that manufacturers would need to jump through. So I think there’s a lot of different levels to it.

JS: I specifically about that minimum length of time for which the device will receive security updates part of the legislation. Keep in mind, right, the legislation doesn’t go as far as to say it requires a capacity to do a security update. It merely suggests that if there’s no capability whatsoever, that needs to be stated, and the suggestion is that that perhaps is on a label.

So if the legislation, it really doesn’t go super far, in terms of forcing IoT devices to actually have security, it’s more about just admitting you don’t have any.

LO: Right. Yeah, exactly. Which can go a long way.

JS: Yeah.

LO: And I’m curious too, I mean, looking, maybe not one year, but five years ahead. Do you think that these are going to be viable solutions for IoT security when it comes to putting the pressure on manufacturers? Do you think that we’ll see IoT devices get more secure? Do you think that’s, at this point, impossible to say?

JS:  I’m really hoping it doesn’t take too many more dozen articles by journalists, such as yourself, of multi-million device hacks, you know, that we see almost all the time. Before device vendors start to feel the pressure of you know, we have to do this correctly. And the way to do this correctly, is really to not think about – username and password is already an obsolete technology in enterprise, it’s beyond obsolete when we think about IoT devices. It just happens to be, you know, cheapest chips and therefore easy to implement.

I think that, you know, spending that half penny on device certificates, so that we can start doing real actual, you know, mutual authentication and TLS-encrypted sessions, those kinds of things. I think within five years, I’ll be hopeful and say that I think within five years, we will see that in most operational systems that have any kind of risk level whatsoever. Will we see it all the way down to you know, connected teddy bears and connected fridges and stoves and things like that? I think the answer to that is yes. If you look at what the consortiums are doing, which are doing things such as fridges and stoves and toasters, I think down to the children’s toys that may be connected. I don’t know. I think there will always be some level of device where there’s a public connection to the internet that is unsecured. But hopefully that’ll come down to devices that have the least amount of risk possible.

LO: Hopefully it won’t come to another, you know, 2016 Mirai type of incident for things to go back on course when it gets to security, but for the time being, I definitely won’t be buying any connected teddy bear.

JS: Right on.

LO: Well, Jason, thanks so much for joining us today on the threat post podcast.

JS: Yeah, it was a great time. Thank you so much for having me on.

For direct download of the podcast click here.

Suggested articles