Smart appliances are popping up all over the place, and the strangest things have become internet connected. Its extraordinarily cheap to put a micro controller into an otherwise ordinary object and have parameters that can be configured via a cell phone app. The Internet of Things (IoT) is a massive industry, which leads to some questions:
Why does a diaper/refrigerator/water bottle need to be internet connected?
We’re lazy. Most of the time these products are used for data collection and making life easy for the end user. Your smart-bottle can tell you how much water you drank, and tell your fitness app. Your smart-refrigerator can order products on Amazon or add them to your shopping list when you’re about to run out. your smart-lightbulbs can change color temperature and brightness throughout the day to be better for your eyes. All of these devices, and many many many many more already exist, out there and connected to the internet.
Who created the security policies for this device?
In the year 2005, when it became way cheaper to put computers on the internet, IoT started to get rolling. The micro-controllers in most IoT devices still use architecture and firmware that were designed in 2005. This means that the devices are running hardware and software designed 12 years ago in an internet that has had 12 years of practice at breaching those same systems. This CVE from GE is a multilink internet adapter being used in refrigerators, and the exploit listed is one that is very common in Windows XP/Vista computers from 2005, but the CVE was posted in 2015! Companies that make IoT devices like GE and Philips haven’t spent the last 12 years creating better security using a Secure Development Cycle, they probably spent the last 12 years building a better refrigerator/diaper/toothbrush/etc.
How are these exploited?
IoT devices that have public facing ports that can be picked up by almost any IP scanner. Most of the time, end users don’t change the default usernames and passwords. An attacker can then scan public facing IPs for open ports, try a series of default passwords and gain access to your IoT device. They can add it to a botnet like Mirai and conduct all kinds of nefarious business.
We’re always surprised when large attacks occur on IoT devices but we really shouldn’t be. We’re trying to defend archaic mid-2000s technology from a 2017 level attacker, and that is the underlying problem. Until IoT manufacturers find a way to incorporate a better security policy into their development, our devices will continue to be at risk.