The number of Internet of Things (IoT) devices in use is estimated to go from 31 billion devices in 2020 to near 35 billion by the end of 2021 (Leftronic 1).
The IoT encapsulates not only personal computers and smartphones, but also devices with any type of communication method that allows them to connect to a network, whether through Wi-Fi, Ethernet, or otherwise. This means that microcomputers the likes of which can be found in a variety of household appliances such as smart fridges, smart toasters, and baby monitors, all make up part of the IoT alongside devices usually expected to be connected to the internet. The data and information exchanged by these devices is something that varies greatly, from information on the stock levels of a smart fridge, to the audio and video from a smart home security system. In 2018 approximately 2.5 quintillion bytes of data were exchanged each day over the internet (Forbes2). It stands to reason that a notable portion of this data generated can be attributed to IoT devices.
Given the broad spectrum of the areas these devices have reached, it is increasingly difficult to ensure a uniform approach to security. The steps needed to secure a smart fridge could be quite different to securing an internet connected children’s toy. With this in mind, the UK government has established guidance on security measures that organisations can implement on their products to reduce the possible attack surface. This blog post will sample the research that has been done around the security of IoT devices, the current guidance attempting to secure them, what a supplier can do to help keep customers secure, and what customers can do to maintain that protection.
Discovery of issues affecting devices in this area is not an uncommon occurrence, with a number of high profile cases having been raised in the past. An example of this is the Cayla children’s smart doll that was found to not be as secure as initially hoped, prompting an official German watchdog to recommend that parents destroy the doll over hacking fears. (BBC News3). The dolls are designed to record the child's voice and answer questions they ask via the internet. Unfortunately, due to an unsecured embedded Bluetooth device, an attacker could listen to and talk to the child playing with the doll.
Increased concern over the security of IoT devices has prompted a number of studies into the security of these devices, in turn giving us a view of the most common issues affecting them. Research carried out by Context in partnership with Which? in 2017 found it possible to exploit a Furby Connect 4 to upload custom graphics and audio to be played by the device. This was due to the Bluetooth functionality implemented on the device at that time being both unencrypted and unauthenticated (no password was required for use). The team were able to construct an update including custom audio and animations and then upload them to the device under the guise of being a legitimate update to the device from Hasbro.
Research conducted by a UK researcher against a randomly selected smart baby monitor discovered a number of issues including:
- Web Service Running as Root – The device hosts a web server which has the highest permissions possible on the device. As such an attacker is able to leverage this to view and download sensitive documents from the device such as video recordings etc.
- Outdated Kernel With Known Vulnerabilities – The firmware of the product is affected by known vulnerabilities which in this case could allow full compromise of the device.
- Insecure Services Running (Telnet) – Insecure services can be used to communicate with the product, increasing the number of ways an attacker could attempt to compromise the device. In this case the service running is Telnet which is affected by a number of issues detailed later.
Each of the issues described above represent a significant security threat to the assessed devices and could contribute to an attacker having access to either a live feed or recording from the device.
Why is the threat significant? The issues listed can be leveraged without a great deal of prior knowledge or understanding, meaning the required experience of the attacker to successfully exploit the device is significantly lowered. Microsoft’s “Security Considerations for Telnet“ 5 provides us with an example of this point as it details that telnet is an unencrypted service, meaning that anyone with a connection and the correct tools will be able to eavesdrop on any communication with this device via telnet and understand the exchange. In addition to this, a number of possible attack vectors are understood for telnet and have been known for quite some time, for example “Telnet: An Attacker’s Gateway to the IoT” (6) was published in 2016 and is still relevant now. The attacks detailed include, default accounts, password brute-force and in some cases lack of authentication being required. Something to note is compromising telnet would require access to the same network as the device and to eavesdrop on communication would require the attacker to be situated between a user and the device on the network. With this in mind, the likelihood of an attack being carried out against telnet is reduced. However this serves as a prime example of how well documented some issues that appear in multiple products really are.
The vector of default accounts and passwords is not unique to the telnet service, this vulnerability is a very common occurrence across devices and can range from telnet credentials, to the administrator login details for a webpage hosted by a device. Often these credentials are readily available and can be found with a quick search online.
A common theme highlighted by the studies above, is the fact that the problems affecting the devices are often caused by configuration or patching issues. This pattern extends beyond the small sample of studies listed and is repeated multiple times across a number of categories of IoT devices including children’s toys, smart security devices, or smart appliances etc.
Due to manufacturing methods, the technology used in one device is likely to be used in multiple products, this can be both hardware and firmware. It is estimated that this web service technology is used in over 1 million security cameras and multiple millions of other IoT devices as stated by Xiong Mai (7). This shows the sheer volume of consumers potentially at risk from this issue with potentially millions of households affected.
Current UK Guidance
In October 2018 the UK government published guidance on the security considerations that should be taken into account when manufacturing IoT devices or providing an IoT service 8. This guidance is welcome. It establishes a number of areas that warrant special attention in an attempt to reduce the attack surface of the devices being produced. The areas highlighted in the documentation are as follows (in no particular order):
- No Default Passwords
- Implement a Vulnerability Disclosure Policy
- Keep Software Updated
- Securely Store Credentials and Security-Sensitive Data
- Communicate Securely
- Minimise Exposed Attack Surfaces
- Ensure Software Integrity
- Ensure that Personal Data is Protected
- Make Systems Resilient to Outages
- Monitor System Telemetry Data
- Make it Easy for Consumers to Delete Personal Data
- Make Installation and Maintenance of Devices Easy
- Validate Input Data
If this guidance is followed correctly, the security of IoT devices being produced will be significantly improved. A number of the areas detailed in the guidance would directly remove several issues that are found regularly. For example, point 1 of the guidance would resolve the “Default Credentials” issue discussed previously and point 3 would address the issue of outdated software/firmware.
However, it should be noted that the guidance, even if applied correctly, is not a cover-all and would not fix all of the issues that have been highlighted from the research above. For example, the guidance does not detail how authentication should be enforced by the device, meaning the issues around lack of authentication being configured would not be resolved. The guidance is necessarily broad given the variation of products that make up the IoT, but if they are reliant on only this guidance, some suppliers may find it difficult to understand when enough steps have been taken to secure their product.
Without a more detailed assessment, some issues that are relatively simple to resolve are still causing a problem with devices produced more recently. These issues being so well known are then being repeatedly used in attacks being carried out. This can be seen recently as March 2020 in a report published by the BBC 9. Due to default credentials, attackers were able to speak directly to a child using a device, and in another instance view a recording of the inside of a couple’s home. This displays an easily avoidable issue undermining all other security measures implemented. Additionally this shows the best time to improve the security of a device is during the manufacturing phase in order to reduce the risk of a real world attacker.
What can suppliers do?
There are a number steps that can be taken by suppliers to significantly improve the security standpoint of the devices produced. The suggested steps are:
- Implement government guidance where possible, but go beyond the guidance where possible.
- Ensure products are rigorously security tested prior to public release. This can both improve the customer’s security and reduce the number of issues reported after release.
- Train developers in secure coding and best practices, this knowledge will reduce the number of issues slipping through the development stage of the product.
- Implement fixes and security patches on a regular basis to address the reported issues or ones discovered internally.
- Provide clear advice to customers on the most secure environment for their devices. For example, ensure the router on the network is password protected and up to date, update passwords regularly and turn off the device when not in use.
- Open a forum for customers to report security issues, this will allow you to get a clear picture of the concerns facing the devices and how they affect them.
What can consumers do?
With every device connected to the internet, there is an inherent risk of an attack being carried out but by following the steps below, a consumer can reduce their risk of becoming a victim:
- Ensure smart devices are updated as soon as an update is released by the manufacturer
- Change the default password to one you will remember (The NCSC provides consumers with some useful guidance on creating secure passwords 10)
- Turn off the device when not in use. This will reduce an attacker’s window of opportunity.
- Research the model numbers of devices you are looking to buy. Check if there is any news articles or advice available around which devices are most secure and what to look out for.
- Watch media outlets periodically for announcements from the supplier.
- It is important to be aware that while this does not fully guarantee the security of a device, remaining diligent with each of the steps listed above is an important step towards staying safe.
Looking to the Future
Due to the steady flow of attacks against IoT devices, in January 2020 the UK government announced a new law designed to improve the processes for securing devices post manufacture is in the final stages of approval (https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products 11). This law will cover three main topics:
- “All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online”
The three main topics of the law attempt to improve on the processes of reporting and patching issues on devices. If applied correctly this could prove to be an effective solution for addressing issues being raised in a timely manner.
Details of how and when this law will be implemented are yet to be confirmed. However it would be wise for manufacturers to take note of this impending law so that steps can be taken to ensure these processes are in place to prioritise security.
Context is a part of Accenture Security.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.
Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.