The Internet of (Insecure) Things: How an IoT Toaster Can Burn You

Sam Coache and Michael Salihoglu 
| 9/25/2018
Internet of (Insecure) Things: How an IoT Toaster Can Burn You

The internet of what?

In 2009, the Internet of Things (IoT) was loosely formalized as a new phrase and category of devices. It is now estimated that more than 11 billion IoT devices are in use globally, and the IoT industry is among the fastest growing in the world. The Internet of Things refers to physical devices that use an active internet connection to provide a service to the consumer and the communication that occurs between these devices over the internet.

Most people use the internet for email, web browsing, social media, or file sharing. IoT devices extend beyond traditional internet use to incorporate remote security systems, home climate control, refrigerators, some car systems, and devices such as Google Home and Amazon Alexa. IoT devices seem to be nearly everywhere. Their value in simplifying and streamlining tasks indicates that this new technology likely will continue to grow and branch out into other mainstream industries and products in the coming years. In fact, based on a forecast by Gartner, the number of IoT devices online will rise to more than 20 billion by 2020, at an estimated worth of $8.9 trillion.

new threats - partially open laptop

New industry, new threats

As the IoT expands at a rapid pace, the security industry must identify emerging risks within this new market as more devices come online. In 2012, Linux.Aidra became one of, if not the first, IoT vulnerabilities of its kind when analysts noticed a large number of telnet-based attacks over IRC (Internet Relay Chat) channels coming from internet-enabled televisions, cameras, and DVR systems. Four years later, new versions of malware such as Mirai and Satori emerged and infected susceptible IoT devices. 

Mirai and Satori were both botnets, which are networks of infected computers controlled as a group without the owners' knowledge. Botnets are deployed to spread malware, act as hosts for phishing campaigns, and conduct orchestrated distributed denial-of-service (DDoS) attacks. In June 2018, an exposed flaw in Google’s Home and Chromecast devices allowed hackers to uncover the devices’ exact location through a technique called DNS rebinding, in which attackers use JavaScript embedded in a malicious webpage to compromise other devices on a network and interact with them remotely.

Many companies are integrating IoT technology into a variety of devices to keep up with current trends, so more IoT devices than ever are active within internal networks. In short, IoT innovation has opened organizations up to new security threats. From smart printers and light bulbs to employees’ personal smartwatches, protecting networks from rogue devices has become critical for most organizations.

Securing IoT

Securing IoT devices

When purchasing a new IoT-enabled device, users should first consider its available security features. Does it allow alphanumeric or biometric password protection to prevent an unauthorized user from gaining access? Can users remotely wipe a stolen device to prevent thieves from accessing personal information? Manufacturers often overlook these basic considerations when they create new and trendy devices.

Once users have purchased the new IoT device, they should update its firmware right away and change any default credentials included with the device. Many devices ship with outdated and vulnerable firmware, so users should also check the manufacturer’s site to see if they have any firmware updates available that might patch these problems. One of the main issues with IoT manufacturers is that they often produce cheap, poorly secured devices and then never release new security updates for them. So choosing reliable vendors and checking periodically for new updates are good security practices. Alternatively, devices might allow users to enable an option that updates the device automatically when new firmware updates are released. Changing the default credentials to a strong password is also important, as IoT devices are often the first devices that intruders will target in their attack. Organizations installing IoT devices around the office should make sure to include the devices in their patching schedule to make sure that they have the most up-to-date security issues fixed.

Employees’ personal IoT devices can also pose a risk to an organization’s network. Employees can easily connect personal devices to the corporate network and, if security is not up to par, unknowingly provide an easy entry point for industrial espionage. The majority of these attacks rely on microphones, cameras, and location services to function correctly. Consider, for example, the smart assistant device sitting in the corner of an office during meetings, passively recording all audio while waiting for a command. Even if the device itself has not been compromised, the incredible amount of data it records could lead to privacy concerns for an organization and its clientele. For the everyday user, this risk might not be an issue. But CEOs certainly do not want an unknown third party “listening in” on a closed-door meeting.

On the networking side of IoT security, network administrators should make sure that the router or firewall appliance that is managing the network in which IoT devices are connected is set up securely. Firewalls on the wireless router and all end points should be enabled and require strong passwords across the network. Devices should also be behind the firewall, rather than on the internet directly. To help protect users and the network, the router’s security console might include other features such as MAC address filtering, geo-blocking, or intrusion prevention.

Organizations and more advanced users should consider segmenting their networks so that IoT devices do not have access to any other part of the network. For instance, administrators should set up one segment that has all the standard computers and printers and another that is strictly for IoT devices, especially if the router or firewall is forwarding connections to the devices directly from the internet. To keep guests from bringing infected devices into the network, administrators should consider setting up a guest network that shields organization devices from outside ones. By strategically segmenting the network, administrators can reduce the risk of compromised devices gaining access to sensitive information.

botnet web

Gray hat botnets

“Gray hat” is a cybersecurity term used to refer to programs that violate ethical standards without malicious intent. Gray hat falls in the middle of the spectrum of white hat (the good actors) and black hat (the bad actors).

Recently, some gray hat hacktivists have begun intentionally infecting unpatched IoT devices with malware in order to prevent malicious botnets from taking hold of them. Yes, you read that right. Analysts have identified a new series of gray hat botnets that infect vulnerable IoT devices with a style of malware similar to Mirai, but with a unique twist. Instead of stealing information like Mirai does, the gray hat botnets block access to the ports commonly used in known attack vectors on many IoT devices to prevent further harm, and they don’t execute any expressly malicious code.

Several authors have released versions of this type of malware, which include Hajime and Linux.Wifatch. Both programs seek out poorly secured IoT devices before they can be taken over by something more sinister. The bots send messages in their actions, rather than explicitly telling the user to patch IoT devices. They close ports and remove firewalls behind themselves, display verbose messages through quips in the source code, ultimately indicating to the owner that the devices should be patched to prevent future harm. One related botnet malware known as BrickerBot performed a similar service. However, instead of closing ports or notifying the hardware owner, it simply “bricked” or rendered the insecure device unusable.

To be clear, this malware spreads without the permission of the user. Furthermore, in the case of the BrickerBot, the malware can render the unpatched devices permanently unusable – hence the term “gray hat botnet.” Increasing awareness of the risk of unsecured devices is an important message to share. But forcing users to take action without their knowledge is the wrong way to go about it.

Environment security

IoT devices can be great, and they provide a number of services that can make our lives easier. But from a security perspective, these devices do not meet strict security standards. Organizations that want to integrate IoT devices in-house should take extra steps to secure the devices in an office environment and to comply with security protocols. For personal home use, users should take the time to separate IoT devices from other services on their networks and make sure that firmware is up-to-date.

As with any other technology, new vulnerabilities and paths for exploitation can be expected on the horizon for IoT devices. But by taking a few proactive steps, users can strengthen their device security and make it significantly harder for talking toasters and other IoT devices to take over their networks.