Opinion: Looking back at the Internet of Things
I remember having conversations back in 1999 about the automation and control systems being insecure as we approached the year 2000 thinking the world was gonna end at the stroke of midnight. While the world didn't end in the year 2000 rollover, something did set itself in motion that continues to be problematic even today. Everything from our aircraft, manufacturing plants, sewer treatment facilities and nuclear power plants have something in common in that they have control systems connected to networks that are connected to the Internet. Nearly all of them have some sort of automation system in place that makes it easier for workers to maintain these environments and to keep us safe or to make workers jobs easier. Even power companies want to use WIFI or Cellular systems to receive information on how much power you use without having to send workers out to read meters.
Not Much Has Changed...
Over the last 20 years I have watched as more and more appliances, home automation, security systems, heating and cooling and other products have been released with the goal of making our lives much more convenient. In fact if you tell your kids that you had to get up off the sofa to change the television channel when you were a kid they can't even grasp the concept, let alone showing them an LP record player and asking them how it works.
In this day and age everybody wants an easy button. They build systems for everything from home automation to entertainment and they want to be able to access those systems from anywhere (over the Internet). The whole point is ease of use. When the manufacturers of these systems put out these products they never imagined that some of them would be connected to the Internet or that vulnerabilities in the current versions of their operating systems at the time would ever be exploitable remotely but that is exactly what is happening. Just this morning our SOC (Security Operations Center) put out a bulletin about botnets looking for a particular brand of router to exploit. When I looked into it farther I realized that the manufacturer of this router hasn't been keeping up with kernel versions and a quick look at the CVE database shows that there are many remotely exploitable vulnerabilities out there that could be problematic for users of this particular router. One very large Internet Service Provider in the US has literally thousands of these devices out there with default passwords just waiting to be exploited.
Again this goes back to ease of use. These ISP's would rather make sure all technicians have access to the devices (and the hackers and nation state actors and probably the NSA as well) so they let the default passwords in place instead of implementing a customer management system to ensure each customers passwords are different than the default. These companies are failing to provide basic security protections on these devices at the cost of it eating up bandwidth when these routers become part of these automated botnets that have sprung up with devastating effect when the actors use them to overwhelm websites with traffic (denial of service). You see the providers themselves don't even care about securing their own networks or the networks of their customers and it's being taken advantage of by bad actors.
In truth not much has changed in 25 years. Sure some people are more aware of the issue but these same devices were a problem then and they are a problem now. It seems as an industry people are more worried about profits than doing things in a secure manner. These devices should have been secured when they were first deployed.
The Solution(s) in my opinion
So I was always told not to try and bring up issues without solutions so I wanted to make sure I shared my two cents on this topic. There are really only three solutions to the problem that come to mind. First the easy solution. Simply don't connect IoT devices to the Internet. Make sure they are deployed on a private network specifically for that purpose. You can still connect to that network to "automate" your devices without risking the devices to Internet hackers and attack. That's the easiest and most effectively solution.
If you must connect these devices to the Internet then at least put them behind a firewall and only allow remote access to them by way of a secure VPN or from known and trusted IP address sources. This will cut down 99% of the issue by only allowing trusted IP's to get to the devices. Remember thought just as in the Target breach, if your trusted IP devices get compromised then you have given hackers a path into your network.
This next solution really is not a solution but a companion to the first two "solutions". Don't allow name resolution or put in outbound rules to only allow devices that are connected to talk to trusted destinations. In short firewall everything and only allow the devices to talk to known good destinations. Enforce DNS sinkholes to keep the devices from talking to bad destinations. This third step is a safeguard in case the first two solutions somehow fail to protect you. Just like only allowing in the good sources, only allow the devices to talk to known good destinations.
I really and truly hope that IoT devices are NOT connected to the Internet but in this age of convenience it's easy to plug in that device without thinking about the consequences. There are reasons that highly secured networks are air-gapped in the first place.
Other IoT News:
Insecure Scada Systems Blamed in Rash of Pipeline Data Network Attacks