Consumer IoT devices are not sufficiently secured
Computers have become smaller, faster and cheaper, and that makes it possible to integrate them into all kinds of consumer devices. These so-called “smart” devices are proliferating and many have achieved their popularity through the ease of use: accessed or operated using a smart phone, or else quietly perform automated tasks. However, these Internet-of-Things (IoT) consumer devices are often insufficiently secure against cyberattacks. Qbit (Eurofins Cyber Security, Netherlands) has already showed through penetration testing (pen tests) on printers, baby monitors and smart watches that such devices often contain obvious and severe vulnerabilities.
Many of these devices – and others – lack even basic security measures. While most websites now enforce encryption through HTTPS, on IoT devices it is common to see plain text traffic containing sensitive information, including passwords. In several devices, access control systems are easy to bypass or totally absent. Simple and obvious attacks can result in the complete compromise of the device.
For example, in 2016, the Mirai botnet infected hundreds of thousands of IoT devices. The malware spread like a virus, with an infected device attempting to infect other devices. The method of infection was using default passwords on internet-connected devices. For example, it tried authenticating with username “admin”, password “admin”, and several other obvious combinations. After infecting many devices, these were used in a distributed denial of service (DDoS) attacks, by flooding websites with traffic from all affected devices.
The need for regulation
It is hard for consumers to judge whether a device is secure against cyberattacks. Even for consumers who have a pro-active approach to cybersecurity, it can be difficult to select a product that resists attacks. If their device is compromised and runs malware, it typically keeps functioning normally, and the user is unaware of the problem. Much of this is due to a lack of market pressure meaning there is presently little incentive for device vendors to improve the security of their products. Even after large-scale, well publicized attacks, the cybersecurity of consumer devices remained poor, showing little improvement.
The Dutch Radiocommunications Agency plans to enforce regulations to secure consumer devices. By enforcing essential requirements to improve cybersecurity in consumer IoT devices, those that are lacking certain security measures can be blocked from the market. These regulations, however, are really specifying minimum requirements, in order to solve the biggest issues. They are not meant to completely secure devices, or to restrict vendors in releasing new features and devices. The Radiocommunications Agency asked Qbit to compose a list of essential requirements to secure consumer IoT devices.
The biggest problems in IoT
Qbit researched which security measures are essential, and offer the largest improvement in security while being easy to implement and easy to enforce. To determine the impact of the security measures, we first determined the biggest problems in IoT security. The most impactful attacks result in attackers bypassing access control, exploiting unnecessary functionality such as debug ports, or exploiting bugs in old software.
Incorrect access control
A consumer IoT device should only be usable by its owner, and maybe people in the same household. However, this is often insufficiently enforced by devices.
Sometimes, access control is totally absent. In that case, anyone on the network can access the device. That is not so bad if that network is a home network, but if the device is connected directly to the internet, potentially anyone in the world can gain access.
Another common problem is that all devices of the same model share the same password. Having the password for one device makes it possible to authenticate – and perhaps compromise – all other devices.
Overly large attack surface
IoT devices often expose too many services on the network, that are not strictly required for correct operation of the device. Services such as telnet, SSH, or the Android debugging interface ADB may be exposed to the network. These are not needed for normal use, but give an attacker more possibilities to abuse the system.
As vulnerabilities in the software are discovered and resolved, it is important to install the latest version to all devices. This means that IoT devices must ship with up-to-date software, that they must have update functionality, and that vendors distribute updates whenever a vulnerability is discovered and resolved. There is still an onus on the owner to install to ensure ongoing security.
Essential security requirements
Several instances propose security measures to solve these and other IoT security problems. We evaluated security measures from well-known regulating instances, such as ETSI, ENISA, the IoT Security Foundation and OWASP. We scored over 400 security measures on several criteria, such as how easy the security measure is to implement and test. Moreover, the security measures must solve at least one of the most important security problems. After scoring, the top security measures resulted in the following essential security requirements:
- All passwords must conform to the industry standard NIST SP800-63b Digital Identity Guidelines.
- After initial setup, passwords must be unique for each device, or defined by the user.
- Access to device functionality via a network interface in the initialised state must only be possible after authentication on that interface.
- All exposed ports and interfaces must be necessary for the normal and intended use of the device.
- All network traffic must be encrypted and authenticated using best practice encryption protocols, such as TLS.
- Vendors must be able to initiate firmware updates in IoT devices, either by automatic updates or by actively informing the user about availability of updates.
- The device must verify the authenticity and integrity of firmware updates before installing them.
- The vendor must provide clear and understandable information about the end user’s responsibilities to set up and maintain the device’s privacy and security.
These security requirements are sufficiently specific, so that vendors and regulators can agree on their implementation. They are easy to test from a black-box perspective, making it possible for regulators to buy a device in the store and determine whether it meets the requirements. Most importantly, they solve the biggest security problems in IoT.
Attacks on IoT devices are typically not very sophisticated. Using default credentials or connecting to an open port can be sufficient for an attacker to take over a device. Many devices are lacking even basic security measures. Therefore, a relatively small set of requirements can already have a large effect on the overall security of IoT devices. The proposed essential security requirements provide a realistic first step to greatly improve consumer IoT security.