The past week has provided some interesting revelations around the Internet of Things (IoT). As we all know, the IoT is that collection of generally unmanaged devices with embedded connectivity to the Internet. From cars, to refrigerators, thermostats, televisions and more, the IoT seeks to connect everything it can to the world’s largest global network. Conceptually, the IoT is a great thing: it can lead to more efficient use of energy, customized manufacturing, faster transportation and much more. However, as we’ve seen in the past ten days, there’s a dark side to the IoT.
On March 7, the disclosure site WikiLeaks posted a cache of over 8,700 documents purportedly leaked from the United States Central Intelligence Agency (CIA), indicating that the CIA has a massive arsenal of code that is used to take advantage of zero-day exploits in IoT devices, consumer small office/home office (SOHO) devices such as cable modems and routers, mobile phones from popular manufacturers, and more. WikiLeaks themselves describes this as the first of several releases, and gives its possessor “the entire hacking capacity of the CIA.” While there does not appear to be specific exploit code included in this purportedly initial release, it does contain some fascinating information on alleged CIA projects: of this entire trove of data, perhaps one of the more frightening exploits documents the ability to turn Internet-connected Samsung televisions into covert listening devices through their embedded microphone, circumventing the “air gap” in a most literal way.
The questions of whether the CIA should have (and use) this technology, and whether it’s appropriate for WikiLeaks to disclose it, are beyond the scope of this blog. However, what’s very germane to anyone reading this post is the fact that IoT devices are clearly a ripe target for malicious code, since the vast majority of the disclosed zero-day exploits in this set of documentation is targeted at those devices. So why is that the case? There are several reasons. One issue is the unique protocols that have been developed for discovery, data and device management services, such as mDNS, MQTT, CoAP and OMA-DM. Many of these protocols, which all sit on top of standard TCP/IP communications, are relatively new and their implementations were designed with performance and functionality in mind first and foremost, not security. Another reason is because IoT devices, unlike traditional general-purpose computing devices like servers and PCs, contain a lot of custom programming embedded in ASICs, which are likely not fully tested for security threats (again, “functionality and performance over security” is the industry mantra).
So what can be done about this problem? For consumers and companies, the ability to respond to these types of threats is key. As is often the case, the fundamentals of security are the best way to mitigate exploits:
- Patch your IoT devices. Because IoT devices use embedded operating systems and software, they often have built-in online update services. Always make sure your IoT devices are updated – and this is especially true for network perimeter devices such as cable modems and routers, since they provide access to your internal home and office networks.
- Know your vulnerabilities. It’s likely that many of the exploits disclosed by WikiLeaks will eventually be implemented as rules within popular vulnerability scanning tools. Make sure that you’re frequently scanning your IoT devices for known vulnerabilities, and ensure that you have an action plan to mitigate them.
- Isolate risks. For businesses that have IoT devices, isolate them wherever possible from the rest of your network. For example, if you have a “smart” TV in a conference room that has an IP address, isolate it using a VLAN. Also, disable features you don’t need; just because a TV is configured by default to connect to your network via DHCP, doesn’t mean that you have to do so unless it’s required to support a capability you need.
The fallout from the WikiLeaks disclosure will have massive ramifications for both IoT device manufacturers, government agencies such as the CIA that rely on exploiting these weaknesses as part of their tradecraft, as well as malicious attackers who will both initially use the exploits, and eventually analyze them to find new potential attack vectors into IoT devices. IoT consumers – both individuals as well as businesses – will need to remain hyper-vigilant as these early days of IoT devices unfold.