SAN FRANCISCO—”Internet of Things? I don’t use that stuff. It’s not for me.”
Alex “Jay” Balan, Bitdefender’s Chief Security Researcher, begs to differ. “Internet of Things is not optional,” he said here at RSA. “It’s not the user’s choice. Everything is becoming smart.”
Every network printer is an IoT device, he pointed out. “People believe that the printer is secure because it’s a physical box. I can take the paper out, and nobody can print. But in reality, anyone on the network can access the printer, and most have a management console without a password.”
Getting access to every document a printer ever printed doesn’t even require an exploit, because the functionality is simply present and available.
Looking at the weaknesses of IoT devices, Balan noted that most run BusyBox for their operating system. That’s a stripped-down version of Linux that fits in 3MB. And the code itself is typically written as a web service. However, the coders don’t think of security the way they would when literally making a service available on the web. “On IoT, the code sucks,” said Balan. “It’s poorly written.”
Modern operating systems defeat a ton of possible attacks by using ASLR (Address Space Layout Randomization). Using it is as simple as checking a box when compiling the code, but IoT coders skip this useful precaution because it puts a drag on performance.
So Many Vulnerabilities
For his talk at RSA, Balan planned a deep dive into the vulnerabilities of a simple IP camera. However, the field was so rich he wound up digging into four devices—cameras from Tenvis, Geenker, Keekoon, and Reolink. In every case, Balan and his team found multiple significant security flaws.
For example, they found they could execute arbitrary code on some devices by overloading the password field, or using a special character in another field. Typically this let them open a remote shell, meaning they would have full control over the device’s operating system. Some of the devices hard-coded the username and password needed for management. In short, they found security holes you could drive a truck through.
Like most responsible research groups, Bitdefender has a 90-day disclosure policy. That is, they notify a company of flaws found in its product and give the company 90 days to address the problem before going public. They did so for the four products addressed in Balan’s talk. And all four companies ignored them.
Balan described one case in which a secure hardware company complained that they had gone through a security audit, so Bitdefender’s research showing security holes must be wrong.
“Somebody ripped them off,” said Balan. For IoT devices, penetration testing has to include more than just hitting the device with known exploits.
“Known exploits don’t help here,” he continued. “There are just too many of them. Only 10 to 15 percent of IoT exploits even get registered. You have to dig into the device and perform testing by hand.”
So how do you know if your internet-aware camera, toaster, or garage door is secure? One way is to have a team like Balan’s put it to the test. But that’s not the only way. “Look for a bug bounty program,” explained Balan. “If you find a bug bounty program, and the company has a system for automatic updates, you’re pretty much safe.”