TENERIFE–Nostalgia for the 1990s may be all the rage at the moment (see: The X-Files, The People vs. O.J. Simpson) but when it comes to security, no one is looking to go back 20 years. Sadly, that’s about where the security of many IoT devices belongs, experts say, and there doesn’t look to be much hope on the horizon at the moment.
Security researchers have been taking a hard look at the avalanche of new embedded devices, smart appliances, and other IoT devices and what they’re finding is not pretty. There are new wireless protocols and standards emerging on a weekly basis, and the amount of thought being put into the security of those protocols is usually little to none.
“It reminds me of the 199os today in the way that we’re deploying wireless systems and protocols with no thought to security,” Chris Rouland, founder and CTO of security startup Bastille Networks, said in a talk at the Kaspersky Lab Security Analyst Summit here Monday.
“It’s a much larger attack surface that we have now. The attack vectors are three to four times larger than enterprise computing. The Nineties was the golden age of hacking in many ways and we’re approaching that today with the IoT.”
“It’s a much larger attack surface that we have now.”
The manufacturers that are building computers into every device under the sun are doing so in order to bring more convenience and features to consumers. Many of these devices have highly specific design requirements, and often the urge to extend battery life or make the device smaller takes precedent over any kind of security system, Rouland said.
“We have scores of protocols rolling out and when you dig into some of them they appear very fragile,” said Rouland, a veteran of Internet Security Systems and Endgame Systems. “There’s massive competition in the market today ad the priority is battery life, memory, and size. Security is not even on the list.”
One of the examples Rouland gave was a rogue cell tower. Researchers have demonstrated cheap and easy to build hardware kits that can intercept cell signals. That can be done without the knowledge of the sender or receiver of a signal, something that could be very useful to an attacker in any number of scenarios.
“You could use that to intercept the texts that are used for two-factor authentication,” Rouland said. “We seem to have settled on SMS as the way to do two-factor authentication and that can be dangerous.”
He also took manufacturers to task for using Bluetooth as the default communication mechanism for IoT devices. The protocol was not designed for the tasks that it’s being used for now, and there is no secure transport mechanism built into it.
“Bluetooth was designed to replace USB cables. It wasn’t designed to be the HTTP of the IoT and that’s what it’s become,” Rouland said. “There’s no visibility in the enterprise with these wireless protocols.”
Security issue with consumer devices such as smart TVs or refrigerators is one thing, but many of these protocols are being used in enterprise or municipal deployments, too. The implications of attacks on things such as traffic lights are much more severe than they would be if an attack hit a home device.
“Bricking a light bulb might not seem like a big deal but if it’s a city that’s moved to a smart lighting system, you have a serious denial-of-service problem,” Rouland said.
Image from Flickr stream of Alexandre Dulaunoy.