Monday, November 28, 2016

IoT Stranger Danger! -- From an IT Professional and Electronics Hobbyist / Ramble-n-Rant

I sit on two sides of this problem. I am an IT Professional, currently Enterprise Architect at New Jersey Institute of Technology.   My Department manages everything server, storage and network on our campus. We see every manner of device installed (or attempted to be installed) on our network. Consumer devices, smartphones, industrial control devices, PLCs, cameras ... Everything (Even a internet connected fish tank! Seriously.)

On the other hand, because of my embedded/electronics background, I am intimately familiar with the microprocessors, firmware complexities, networking stacks and protocols at play in these devices. Quite simply when you build a device, try to make it as cheap as possible, then make it participate in an increasingly complex network jungle, you are asking for trouble.

Consumer devices are built down to a cost, which means they will often use the smallest microcontroller possible and offload complexity "elsewhere". This means devices like WiFi light bulbs and thermostats often depend on a service running in the cloud for advanced functionality. The simpler you can make a hardware device the less likely there will be show stopping bugs. By using a cloud service the product designer moves some of that bug risk to something under their direct control. A server run in the cloud is capable of giving the user a lush App/GUI, complex functionality and integration with an ever changing field of other devices.

The IoT ecosystem is rapidly evolving, making sure that a consumer device works with IFTTT, twitter, gmail, facebook etc is a minefield of APIs. Putting that complexity directly in the device would be expensive and require frequent firmware updates. (more on that later!)

So, these devices often depend on a cloud service, Does the owner need to know? Most will not care until it stops working. But the design of the device and how it communicates with the owner will largely determine it's lifespan.

From a user's perspective, if it stops working, it's broken and when it's broken, it's trash. Many of these devices will have a direct and short path to the landfill if the company goes belly up and/or shuts down the cloud components. For example, NEST, now owned by Google, announced they would be shutting down their "Revolv" cloud service making the hardware devices junk. To their credit they offered the users a refund. But it's a good example of how a physical device's functionality depends on stuff outside the control of the user.

Let's talk about security... It's a jungle out there. We often think that our local network (home or corporate) is a walled off garden. But this is not really the case. The jungle creeps in...

Consider small embedded device... Let's say a consumer WiFi controlled lightbulb... camera, or a network connected alarm panel. Believe it or not, they are remarkably similar. All have a small microcontroller running a minimal (but complicated!) network stack. They are both likely to be "stuck in time" and forgotten after being installed. Meaning, once the owner "gets it working" it will rarely (or never) have it's firmware updated, at least as long as it continues to work. And finally, after some duration, sometimes remarkably short for consumer items, the company that produced this device will stop supporting it, or worse completely disappear. From the above cloud discussion we know this can spell certain doom for the complex functionality, but lets assume that this device allows you to directly control it and does not rely on a cloud service.

When network connected devices get "stuck in time" they become a hazard to the network owner.  (this means you) This can be a campus with 10,000 deices or your home network with ~10 devices. The scale is different but the hazard is the same.

In some cases the device firmware is vulnerable to direct attack. Perhaps a OpenSSL or HTTPD vulnerability, maybe combined with a Linux kernel hole that allows arbitrary code execution. This can mean that another peer device on the same network can gain access to and control or adulterate firmware on a device. This can be a toehold for a larger attack or simply become a "bot" used to attack elsewhere on the network.

Even if an attacker is not a peer on your local network, these devices are often allowed to make unfettered outgoing connections. If you can induce a device to make an outgoing call to a malicious site, perhaps a malicious DNS server, you may be able to exploit a hole which gives you access an attacker can build on. This means an attacker need not already be on your network. You at home, could browse a malicious website, your computer gets infected and looks for other vulnerable devices on your network. This really does happen and it means your DVR or IP Camera may be quietly participating on a Distributed denial of service (DDoS) attack controlled by a BOTnet.  (See:

Ok, So we have the cloud service evaporation risk, the "Stuck in time" risk, and all those security risks. What should we do? Simply keep using normal light switches? (Well yes, but don't get me started on that...)

I think we all just need to understand where we are in IoT's hypecycle (See: ... We are firmly, I think, on the roller coaster headed down toward the "Trough of Disillusionment". There are going to be some big IoT casualties, some big security exploits, and a LOT of junk in landfills. Understand the risks and proceed with caution. Some suggestions:

  • Don't buy expensive crap -- This might sound obvious but the wording is specific.  If your going to spend a wad of cash on a gadget, try to understand the parent companies commitment to being in business and product support in comparison to how bid the wad is.  If you are buying a whiz-bang cheapo ~$20 IoT gizmo, it's not too difficult to recoup that value even if it doesn't last that long.  (putting landfill ecology aside)  
  • Build a wall -- You might consider setting up a isolated WiFi WAP dedicated to un-trusted IoT devices.  Decent consumer access points are sub $50 these days, and most will intelligently select non-conflicting channels.  This can offer a lot of protection but can also break funcationality, its a trade off.
  • Keep on top of firmware -- Some IoT devices will tell you wen new firmware is available... but that only works if you actually look at the app from time to time.  Lots of these gizmos are set-and-forget, well try not to forget them for too long.   
  • Keep on top of the vendor -- If the company is out of biz or if the product is abandoned/end-of-life'ed it is likely that firmware updates will dry up and you will not know.  If this happens it is important to consider taking those devices off the network.   They become a growing risk as new security vulnerabilities are found. 
  • Buy devices that have direct control -- Some devices have direct control in addition to a more luscious IoT API.    This means, for instance, even if IFTTT support evaporates you can still have some level of control using direct communication with the IoT device.   This is usually a web interface running right on the device, or a app that does not require a cloud service.

In the coming years there will be lots of development of IoT security.  There is a gaping hole for some enterprising developer to fill with a intelligent stateful firewall aimed at IoT devices.   Think of this as a virus/malware protection for your home network that prevents IoT devices from doing bad things based on signatures and heuristics.   I think this will be a growth area for consumer home networking in the next couple years.  Until then, keep safe!