A lot of stats and figures point towards a future in which we will have somewhere in between 30 billion to 50 billion internet connected ‘devices’ in a few decades. A lot of these connections come from everyday objects that are slowly becoming mini-computers. Everything from your coffee maker to your garage door will go online. This generates a huge potential for coming up with new models, services, and ways for us to interact with these objects. However, it also poses a problem: increased vulnerability trough an internet of un-maintained things.
And it’s already happening today. Security firm Proofpoint found that more than 100,000 smart devices–including a connected refrigerator–were used to send out more than 750,000 malicious emails between Dec. 23, 2013 and Jan. 6, 2014. Other embedded systems that got hacked included gadgets, routers, media servers and televisions. Of course we humans are part of the problem. Hackers were able to access most of the gadgets because default passwords left the electronics devices exposed on public networks. This is something you can find out for yourself by playing around with Shodan for instance. Shodan is like a Google for objects that are connected to the web. It may not come as a surprise to you, but the results for doing a search on “default password” delivers some interesting results. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them — including some of the most popular and common brands.
This stuff is becoming more relevant everyday with every new connection to the web and every piece of computing that is getting embedded into hardware.
Wildly Insecure — And Often Unpatchable
In a article for Wired Bruce Schneier, the Chief Technology Officer of Co3 Systems and security expert, rings the alarm bell saying we’re at a crisis point now with regard to the security of embedded systems, because they are riddled with vulnerabilities, and there’s no good way to patch them: “These systems are powered by specialized computer chips. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary. The system manufacturers — usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product — choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.”
His argument is that there is not enough incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority. And this leaves users with a lot of insecure and connected pieces of hardware, making us increasingly vulnerable to hackers and other “bad guys”.
Should we program devices with a self-destruct button?
And while companies might know how to deal with security, the internet of things is also about regular consumers. The personal internet of things is about wearable computing, smart homes, connected cars and maybe even about computing ending up in your body for medical reasons. We could program embedded devices to automatically update or to at least demand a firmware upgrade every few years. Of course, this too becomes a problem if the company that made these devices no longer wants to patch them like Schneier points out.
Another way to approach this problem is posed by Dan Geer, a well-respected security researcher who also serves as chief security officer at the Central Intelligence Agency’s venture firm In-Q-Tel. One way to reduce the danger, Geer says, is to build devices that will eventually die. As things like thermostats and lightbulbs and smart trashcans come online and are expected to last much longer than a PC or a phone, maybe we need to design them to sign off at the point where they’re no longer supported with software patches. Geer also argues that Open Source could be a solution: “When a product hits its end-of-life, the company that made it should release it as open-source software, so that there’s at least a chance that it can be patched and updated.”
We do not want to build an internet of insecure things. Since we have such a large High-Tech and Security community here at Sogeti, I wonder what’s their point of view on this. Please share any thought in the comments.