This posting is following up on the recent release of our report titled, “The State of IoT Security” which can be found here: stateofiotsecurity.com. The public response to this report has been humbling and exciting; we have definitely hit on an issue about which many of you care. However, we have also received responses that did not surprise me, but have nonetheless made me think about the role of the security community in solving this problem.
As a security expert, I understand the fatigue associated with discussions on the security of IoT devices; frankly, I have felt same way. However, after observing our customers being hit relentlessly by botnets of IoT devices, our team decided to look into this matter ourselves. This study changed the way I think about IoT Security, and I hope you will take a few more minutes to read why. I will start with my argument and three key points, then follow up with a few more details about our study.
IoT security is not a security issue, it is simultaneously a public safety and a national security issue. The security community must make solving these issues a priority.
- At a macro level, IoT security is one of the most critical challenges of our time. The security, or lack thereof, of any individual device has no impact, just like a single drop of water. However, the macro effect of an infinite number of water drops has shaped the face of the earth by creating mountains, valleys, and oceans. Similarly, at scale, the security of the larger IoT ecosystem will have profound impacts on national and economic security for every country. It is these types of complex, macro-level security problems which are the hardest. As a security community, we can not afford to give up.
- The operation and maintenance of the largest sensor grid in the world comes with extraordinary capabilities and responsibilities; we are not paying attention. The sensor grid associated with the rapidly growing consumer IoT infrastructure can collect audio, video, motion, energy consumption, location data, and much, much more. Whoever operates this grid has access to an extraordinary volume of high-quality data and control over each and every device. We are concerned as a nation about China running our telecommunications infrastructure, but we are not concerned about Chinese companies running consumer IoT infrastructure? I would argue that the consumer IoT infrastructure will be, if it is not already, more valuable than any other infrastructure. We must realize the value that this infrastructure has from a strategic perspective and prioritize our actions accordingly.
- Nobody is accepting responsibility for IoT security. We have proven that neither manufacturers nor retailers are accepting the responsibility to develop and sell safe, secure consumer IoT devices. Nor is the government taking responsibility for oversight. The security community as a whole has just given up. In the soft gooey center of this lack of accountability, consumers are deploying billions of new devices every year. As a security community, it is our job to push responsibility and accountability for security, and we are failing. As a starting point, I suggest that retailers must take ownership of IoT security before government mandates action.
About Our Study
Our tests were not sophisticated, esoteric hacking, instead they were simple, boring security tests that anyone even considering security would have performed. We performed these tests through rigorous, exhaustive review of each individual device to collect real, hard data on the lack of security on these devices, the results of which we are excited to share in this report. Our findings are the result of analyzing over 1.25 million communications to more than 3,000 external servers from 12 off-the-shelf IoT devices.
What we found, on one hand, was not surprising. Many of these devices are not secure. Much of the associated infrastructure is not secure. Several of the Android applications are borderline dangerous. Yes, it is scary to think that some stranger could watch your child sleep (easy to do with some of the devices we reviewed). We also found that someone could set off the alarm on your security system repeatedly to drive you crazy just by pasting a URL into their browser. We also proved that we could write a simple, five-line computer script to get visibility into every time a lightbulb or an outlet was turned on or off, which could be accomplished by anyone that has access to any network that your mobile phone has connected to. It is scary to think that someone could intercept traffic from one of your devices and get information such as your birthdate, e-mail address, telephone number, or even your passwords. As a part of our study, we found that all of these things are simple to accomplish on one device or another.
These things are scary, but they are nothing compared to what we, as security experts, worry about on a macro level.
What happens if we take a global perspective on these devices and we consider the impact of not just one or two insecure devices, but billions of them? While it may be an inconvenience if our thermostat stops working on a cold night, what if every thermostat in a large metropolitan city caused a massive power surge and took down the power grid? What if millions of smart lightbulbs and outlets caught fire at the same time? What if a foreign intelligence service could have millions of cameras and security systems capture audio and video on command? Think this could not happen? We found that the extent to which the manufacturers and infrastructure associated with these devices communicate with, or is related to, China is shocking and has significant national security implications.
Now, our report is not all doom and gloom. We ultimately would like to ask a simple question…what if the general public could do something small and change the future?
We are talking about consumers and retailers taking a stand to require that manufacturers and the platforms used by these devices have at least considered security and where the data of U.S. citizens is being stored in the development of their devices and the associated infrastructure.
Surprisingly, by requiring a basic level of security, there is no need to hike costs to consumers. The insecure devices we reviewed were priced similar to the secure ones, but retailers appear unaware or unconcerned about differentiating these devices to consumers, despite the clear marketing advantage, and a critical need to demonstrate that they do indeed care about the privacy and security of their customers.
We are excited to have finally released our report and share our findings with the community. I hope you will take the time to read through it and let us know your thoughts! You can access the report at http://www.thestateofiotsecurity.com and make sure to follow us on Twitter at @darkcubedcyber as we release more content associated with this report in the coming days and weeks.