The “internet of things,” often referred to in its abbreviated form of IoT, is the result of the inevitable networking of commonly used essential items and appliances, such as refrigerators, light switches, cameras, sensors, and other forms of hardware. Even my toothbrush has network functionality via Bluetooth.
The term “IoT device” typically references a class of computers known as “embedded devices” — the router or Wi-Fi access point that you used to download this document is probably an embedded device.
Embedded devices typically run some form of Linux based operating system based on a utility called “Busybox,” which is a multicall binary that contains all of necessary, standardized POSIX-compliant core utilities (aka Linux “coreutils”).
From smartphones to smart TVs to smart houses, which are made up of a variety of networked devices and typically managed by a single management console, these systems all share one common denominator: they are connected to the internet to allow the user to remotely control them. The idea is to make our lives easier.
The Case for Networking Everything
Imagine you are running late one morning, speeding to the airport to catch a flight. You suddenly realize that you forgot to turn off the heat back at home.
If your thermostat is networked, then you can remotely shut down the heater using your smartphone. Sounds great, right? What could possibly go wrong?
Mission Impossible — Securing Embedded/IoT Devices
“Telnet is dead. Long live telnet!” – Anonymous
I spent the better part of 2015-17 researching security vulnerabilities and developing exploits for embedded devices. The most common, glaring, and detrimental issue with IoT devices that I encountered is that, more often than not, manufacturers (also known as OEMs) attempt to secure their products remote management interface by using non-unique, default, and often well-known credentials.
These interfaces are typically accessed over one of three protocols: telnet, secure-shell (ssh), and HTTP (a web panel).
If you have any experience with IT security, you’re probably wondering why OEMs are still using telnet. This is a good question indeed.
To understand why IoT devices tend to err when it comes to IT security, one must understand the inherent constraints of embedded device software development — of which there are many. Typically speaking, IoT devices’ operating systems reside on tiny flash storage drives.
Thus, there is not very much storage space to work with — 4 megabytes is common with routers and security cameras.
Alas, compiling the smallest possible size binary is often the primary concern when developing software for these systems. This limits a developer’s ability to provide security features and makes updating the system very difficult, if not impossible.
In contrast to security solutions available for more powerful machines such as servers and personal computers, there are very few solutions available for IoT devices. This was the case when I first began developing malware for routers in 2014, and this is still the case today. Frankly, I do not believe that this situation will change any time soon.
A couple of years ago, I began working with the open-source community to help solve this issue by creating a fork of the aforementioned program Busybox.
Our fork was deviously named “Busybotnet” because to this very day, embedded systems are constantly compromised and repurposed for malicious use as they become part of a “Botnet” — a network of compromised computers controlled by an attacker, commonly used to carry out nefarious attacks over the internet, such as distributed denial of service (DDOS) attacks.
In addition to storage constraints; IoT/embedded devices often suffer the following vulnerabilities:
Nonexistent or irregular security updates. It is typical for an IoT device; let’s say a wireless access point, to run the same version of the operating system that it shipped out with for the duration of its life cycle.
Even smartphones notoriously suffer from this problem (Certain OEMs like Google and Oneplus are better at issuing updates to handsets than others, such as Samsung and LTE).
IoT devices are often deployed remotely. Circumvention of firewalls during deployment commonly leaves these devices exposed to the entire internet instead of being protected by a proper firewall or even NAT.
Longer life cycles potentially (or rather, usually) leave devices vulnerable to flaws that have not yet been discovered. It is already challenging enough to protect these systems against currently known threats.
Replication: Once a particular model of a device is exploited, there’s nothing stopping the attacker from hacking into all of the other devices of the same variant that are accessible on the Internet.
Examples From Personal Experience
To better illustrate the security issues that IoT devices have and continue to suffer, l will share some of my personal experiences with IoT operational security.
In 2015, someone who is not me ran a brute-force credential harvesting attack against a list of random telnet devices.
They were found on Shodan, which is a search engine of sorts — rather than searching and indexing websites for content, searchable via keywords, Shodan indexes all of the devices and the services that they are running which are accessible on the public internet. As of this moment, there are 5,863,528 devices listed on Shodan that are running some sort of telnet interface.
Did I mention that Shodan publishes about 2% of its data? That means that are potentially around 250,000,000 devices publicly accessible on the internet at this very moment, and these days, virtually all telnet services are ran on embedded systems, as telnet has been obsoleted in favor of the more secure protocol known as SSH.
Interestingly, this figure has not changed over the last few years. In 2015, I ran a port scan of the entire internet searching for telnet devices, and if I recall correctly, there were approximately 250 million of them.
I mention this to help demonstrate that many of the security issues IoT devices suffer today have not, and probably will not change in the years to come.
Anyway, when someone who isn’t me was running that brute-force attack back in 2015, they managed to obtain root access to a TP-Link brand wireless router located in the Ukraine. The password was “5up” — just three characters long. Their first thought was, “I wonder how many of these things are out there...?”
As it turns out, this was (and continues to be in certain cases) the default root password for every single router of this particular variant. After extensive scanning, 50,000 more of these devices were discovered! This is before the infamous “Mirai” botnet, which brought the glaring implications of IoT OEMs’ practice of reusing default passwords into the spotlight.
After much blood, sweat, and tears, the character of this story managed to create a botnet of his own using these 50,000 routers.
All of this was possible because the manufacturer was too lazy to set individual, unique passwords on its devices. He maintained this botnet for a couple of years until finally the ISP that owned the routers upgraded its infrastructure and took these devices down.
Conclusion
There are far too many issues concerning IoT devices to detail them all here. However, the most pressing issues concerning the Internet of Things are the same issues that embedded devices have suffered for decades: Reuse of default credentials; failure to provide firmware updates in a timely or sensible manner; and network misconfiguration. They will continue to plague the global networking ecosystem for years to come.
When IoT devices are compromised, they often are used as pivoting points, or proxies to access all the other devices which may exist on a residential or commercial LAN (local area network).
This is one of many reasons not to neglect the security of your “smaller” devices. If someone breaks into your printer, their next likely target will be your personal computer or mobile device.
To better understand the implications of bad IoT security, read about the Mirai botnet, which caused upwards of hundreds of millions of dollars in damages to IT companies.
IoT devices may be small, and we often don’t think about them when considering the security of our networks. But if not properly secured, they can be the single point of failure which eventually takes down your entire digital framework.