Internet of Things – Friend or Foe?

An Introduction to How We Get into This Situation?

By Phill ‘Sherlock’ Shade (Merlion’s Keep Consulting / SCOS Software)

Internet of Things (IoT) devices are ubiquitous… From Lightbulbs, NEST devices to WEMO, ZWave and even Bluetooth technology driven gadgets; they are often thought of as cool toys or simply a convenience. Unfortunately; as Mirai: An IoT Distributed Denial of Service (DDoS) Botnet showed in 2017, they are also the new frontier for exploitation.

How did we reach this point? Was it by design or simply an oversight? Let’s take a look:

Personal research and experience has allowed me to distill my observations of IoT device issues and vulnerabilities into six general categories:

  1. Competing and incompatible standards
  2. Lack of meaningful regulatory oversight
  3. No or very weak encryption
  4. Lack of password security or hardcoded default passwords
  5. The perception that ‘Ease of Use’ means nothing to worry about caused by lack of awareness, education and documentation of security of IoT devices
  6. Overly complicated instructions and interfaces or worse, lack of control of device operation

Let’s examine each of these in greater detail:

 

  1. Competing and incompatible standards

 

Figure 1: Sample IoT competing standards

Shown above in figure 1 are just a sample of some of the standards and wireless technologies used in the IoT industry. A casual study of these standards reveals that they are spread across numerous Radio Frequencies (RF) and employ a mix of spread spectrum technologies and modulations that in many cases are incompatible.

Take for example IEEE 802.15 Bluetooth, IEEE 802.15.4 ZigBee and Home RF technologies used in Nest devices, Philips Hue lightbulbs, cloud cameras and even WiFi enabled door locks (figure 2).

Figure 2: Sample ZigBee and Home RF enabled devices

While all three of the previously mentioned technologies utilize the 2.4 Ghz ISM band; Bluetooth and Zigbee employ Frequency Hoping Spread Spectrum (FHSS) technology and Home RF employ’s Orthogonal Frequency Division Multiplexing (OFDM). These technologies are completely incompatible and when located too closely together are the source of numerous performance issues, customer stress and in the case of cloud cameras, even security issues as cameras go offline do to Bluetooth or Zigbee device generated interference.

Another pair of technologies; ZWave and RFID used in everything from medical equipment to personal identification devices and inventory control mechanisms; while using very different modulation techniques, depending on the country, also share overlapping frequency ranges, especially in the 865.2 – 926Mhz ranges. (Figure 3)

Figure 3: Sample ZWave IoT enabled devices

An experienced and network savvy user will be able to figure out many of these issues and, to an extent, compensate for them through placement and/or alternative technology purchases; the rest of us are left without very many options other than expensive outside help. The logical inference is of course to develop a set of unified standards that emphasize compatibility and are designed to prevent interoperability issues. Many equipment manufacturers are of course, opposed to this idea as it would force them to incur significant costs in terms of redesign, new marketing and advertising campaigns and therefore prefer the current industry ideal of ‘self-regulation’. Unfortunately, this leads into the next issue that I perceive to be of critical importance: Lack of regulatory oversight.

 

  1. Lack of meaningful regulatory oversight

Very similar to many of the already implanted Wireless technologies, many of the IoT enabled devices, by design, operate in various internationally unregulated frequency such as the Industrial, Scientific and Medial band (ISM – 2.4Ghz), the Unlicensed National Information Infrastructure band (U-NII) and the various RFID utilized frequencies. Several of these frequency ranges are by design, unregulated, whereas others, particularly RFID are heavily regulated within individual countries (Figure 4)

Figure 4: A sample of regulations affected the UHF RFID frequency bands

To further complicate the issue of regulation, many IoT devices fall under multiple, sometimes conflicting regulatory agencies. In the United States for example, a device may fall under the jurisdiction of the Federal Communications Commission (FCC) or the Federal toy safety standard, ASTM F963-16, just to cite two jurisdictions. As previously mentioned, the obvious solution is some form of international regulation similar in scope to that if the Internet Corporation for Assigned Names and Numbers (ICANN) or Internet Engineering Task Force (ITEF). Weather or not we can induce sufficient industry and international interest and cooperation remains to be seen however.

 

  1. No or very weak encryption

Perhaps the most crippling security issue facing IoT enabled devices is, in my opinion, the lack of data security both at the storage location, but also in the mechanisms used to transfer both the data and the control information to and from the devices; i.e. the substantial lack of encryption. Far from being just an IoT issue; this is of course an issue throughout the entire IT world but let’s just address the IoT aspects.

While some technologies and devices, do of course employ basic data encryption; for example, Bluetooth, the majority do not. One of many examples, shown in figure 5 and 6, reveal that there is a significant amount of data that can accessed with little or no skill.

Figure 5: Sample IoT device Set

Figure 6: A simple packet capture taken with Wireshark of the data exchange

Within the IT Security world, it is a known fact that ALL data has value to someone. There is in fact a thriving industry, both legitimate and otherwise that is based upon acquiring as much personal data as possible. The answer is obviously to require that not only the communication mechanisms, but also the archived data be encrypted and protected. This issue, the lack of meaningful encryption, is closely related to the previously mentioned lack of meaningful regulatory oversight as well as the lack of unified standard and specifications in an industry that stresses self-regulation. Countless examples in the media unfortunately have shown that the effectiveness of this approach is lacking.

 

  1. Lack of password security or hardcoded default passwords

Closely related to this issue, the lack of effective password security and the extensive use of default and hardcoded passwords has left open door open for massive exploitation as the Mirai DDoS botnet attacks of 2017 showed. The building of the botnet, as the investigation revealed, was made possible by this very issue as the attackers relied primarily on the use of these very defaults as shown in figure 7.

Figure 7: Sample IoT enabled default passwords exploited by the Mirai attacks

The author encountered this issue as well recently when he received a new piece of ZWave enabled medical equipment. Examination of the device, which was designed to send data to a doctor, showed that the data was not only unencrypted in transit, but also that the system itself had no provision for password protection within the system itself. (Figure 8)

Figure 8: Authors Cpap Machine and attached ZWave device

 

  1. The perception that ‘Ease of Use’ means nothing to worry about caused by lack of awareness, education and documentation of security of IoT devices

 

  1. Overly complicated instructions and interfaces or worse, lack of control of device operation

Both of the issues mentioned above are very closely related. Many of the IoT devices available for sale feature the phrase ‘Ease of use or Easy to use’ in the product description. Apparently, this is used to imply the user has very little to worry about while using the device. Unfortunately, many users automatically assume that this means they are safe from security-related threats as well. As numerous examples have shown, this is far from the case, but many manufacturers are reluctant to include security warnings in the plethora of physical and electrical warnings already required by various laws. Again, this comes back to the previously mentioned need for unified regulations and oversight. The alternative, meaningful efforts towards end-user education and information releases have so far failed to materialize until after some type of public incident or breach.

 

The examples mentioned and briefly discussed provide an overview of what, in the authors opinion are some of the significant issues facing the rapidly growing IoT industry. While not exhaustive, they are intended to make the reader think and most importantly ask questions and research the IoT devices they already own or are thinking of acquiring.