For Christmas this year, I got (another) Wemo smart switch for my home. I was excited, as it’s something I wanted. Within hours of receiving it, I had it installed and up and running. With the exception of a firmware update (which I did today via the app), everything went pretty smoothly.
Then I googled “Wemo Hack” and was a little dismayed by what I found. Clearly there are a lot of issues with these devices. It seems like every couple years there is a spate of articles written about them and how people hacked them to some degree of nefarious purpose. And this is just one brand. Thing even bigger about the rest of the brands on the market and it’s clear that the attack frontier is plenty broad.
I’m a reasonably tech-savvy consumer. I understand SQL and programming. I have a general understanding of networking. This means I’m considerably more knowledgeable than the average consumer. However, as I started to dig into the various different hacks that had been published regarding these devices, it exceeded my level of sophistication. I couldn’t understand to the extent necessary to replicate the hacks.
That’s actually OK with me. I’m not a hacker of any colored hat. But as I struggled to work my way through all the articles, several different themes emerged that define the state of affairs with respect to IoT security today.
Defense of small fishes
For the average consumer, I’m pretty sure there’s a thought process that goes something like this: “I’m just an ordinary person. I don’t have anything anyone would want.” In other words, I’m a small fish and therefore, on a cost/benefit analysis, I don’t think it’s worth much to try to pursue security with respect to my IoT devices.
In a lot of cases, this is probably rational economic thinking. The odds of being hacked through social engineering are probably a lot higher than having my identity stolen through a compromised smart-switch. So for the “little person”, it seems reasonable to not worry about the security of these devices and think only about the convenience they provide.
If the actual purchasing end user isn’t worried for themselves, then what concerns are left? I think it’s obvious. Look at the Mirai botnet problems of the last several years.
If the individual consumer isn’t hurt, then maybe those devices are being used to attach others that do have assets of economic (or political) value. Droves of compromised IoT devices in the hands of angry hackers can become a force-multiplier for DDOS type of attacks. And the consumer can remain completely ignorant of their passive complicity in this endeavor.
This is interesting in that it raises a question of Digital Citizenship. If we are to participate in this brave new digital world (and receive benefits from it), then do we have obligations to the larger collective which transcend our individual gains or losses? I think the obvious ethical answer is “yes”, but that begins to crumble when we try to define exactly what that duty is and how it would be effected.
Given that so much of our digital economy has been a fremium economy – where all too often we receive benefits for which we do not actually pay – this is an extremely tough model to follow. I think it is very behavioral and cultural to remain self-focused and not appreciate the public commons we are all trying to maintain.
Control the Stack
One of the challenges for IoT manufacturers is that they don’t really control the entire hardware and software stack. They build these devices with components which they purchase ready-made. This means that they don’t’ have any control over the bits that comprise their devices.
This means that rather than one person ultimately responsible for security of the device, there may be dozes of security stakeholders for each individual device that we can buy. I’ve read the tear-downs of my Wemo devices. It’s clear that Wemo is not engaging in their own chip design, and are leveraging commercially available options for their final products. This means any flaw in any components is therefore transferred to the ultimate end device.
This discussion isn’t only limited to hardware. OTC software is also used to support different functions and features. While these libraries may be tested and hardened, every time they are exposed to a security vulnerability, they pass that on to any other device which incorporates them.
To my knowledge, there is only one company that has undertaken the effort to design their own chips. Apple. Granted this means they are spending a lot of time and energy designing and maintaining these chips. This translates to cost. Apple can handle this kind of investment because they charge a lot for their devices. But they have also been able to make a big deal out of making the devices secure. Other manufacturers don’t make the same investment and don’t have the ability to make the same claims.
The challenge of Open Networking
Another critical challenge for securing the IoT is the reliance on the end consumers wifi network. Whether we’re talking about routers that still have the default passwords enabled or ones that are set up with known factory standard settings, this becomes a weak point in the chain. Frankly full security requires security at every link in the chain. Any weakness in any link weakens the entire chain.
When it comes to home wifi networks, they are designed to be simple. They can’t rely upon people with degrees in network architecture. They have to be designed to pretty much function out of the box. This, of course, means a predictable and known configuration that can be probed and tested to determine where holes might be found.
The home wifi network also needs to be able to accept the devices I want to access my wifi. It has to be easy and can’t be something that requires advanced degrees. As I was reading a number of articles about hackable IoT devices, I enjoyed reading the comments. Clearly the types of people who read security blogs are a cut above the average consumer. There was ample banter about the kinds of setup and configuration that these individuals had set up on their own home networks. It wasn’t the kind of thing that the average consumer would want, or even understand.
All our IoT devices are connecting in to these networks and are therefore susceptible to weaknesses there. The very thing that makes it convenient to connect the device also makes it easy to create exploitable vectors (think about access to the internet and access to the other devices on the network). I don’t see this changing any time soon, so it’s a challenge that will be with us for the foreseeable future.
Where does all this leave us?
Not really any place happy. I think it’s a fair expectation that that IoT security is going to be a “thing” for the foreseeable future.
The main problem I see is the distributed nature of security. No one device manufacturer is in a controlling position. There isn’t the proverbial “one throat to choke.” So it’s going to be very difficult to make real inroads into the kinds of changes that are needed to dramatically improve IoT security.
I do believe that we need a raft of consumer education. An uneducated consumer base will only perpetuate the kinds of vulnerabilities that we are looking to close. I would love to see some of the major IoT manufacturers join together in an alliance to educate consumers about the costs of security and effectively raise the bar for everyone in the industry with respect to security. This campaign could then focus on a couple topics:
- Understanding what IoT security is and who it impacts
- Understanding what they can do to protect their own IoT devices
- this would include understanding what these devices are really doing “under the covers”
- Understanding how to work with their wireless networks.
This is just a rough idea set to start the ball rolling. I’m sure there are still a lot of topics that would really need to be vetted out and added to this Digital Citizenry Education Program. I could see this as a brainstorming kernel… Add your thoughts to the comments and maybe we can get a proposal going.