Page 10
www.us-
tech.com
TechWaTch
Potential Security Risks and Dangers of the Internet of Things
By Joseph Zulick, Writer and Manager, MRO Electric and Supply T
he Internet of Things (IoT) is the result of the inevitable rev- olution of networking common-
ly used essential items and appli- ance, such as refrigerators, light switches, cameras, sensors, and oth- er forms of hardware. Even some toothbrushes have network function- ality through Bluetooth. The term IoT device typically
refers to a class of computers known as “embedded devices.” This may in- clude routers or Wi-Fi access points. Embedded devices typically run some form of Linux-based operating system, based on a utility called “Busybox.” This is a multi-call binary that contains all necessary, stan- dardized posix-compliant core utili- ties (Linux “coreutils”). From smartphones to smart
TVs to smart houses, which comprise a variety of networked devices and are typically managed by a single management console, these systems all share one common denominator —
they are connected to the internet to allow the user to remotely control them. The idea is to make our lives easier.
Mission Impossible: Securing Embedded Devices
Imagine running late one morn-
ing, speeding to the airport to catch a flight. Imagine suddenly realizing that the heat is on at home. If the thermostat is networked, then it is possible to shut down the heater us- ing a smartphone. Sounds great, right? What could possibly go wrong? The most common, glaring, and
detrimental issue with IoT devices is that more often than not, manufac- turers attempt to secure their prod- ucts remote management interface by using non-unique, default and of- tentimes well-known credentials. These interfaces are typically ac- cessed over one of three protocols: telnet, secure-shell (SSH) and HTTP (a web panel).
So why are OEMs still using tel-
net? To understand why IoT devices tend to err when it comes to IT secu- rity, it is important to understand the inherent constraints of embedded device software development — of which there are many. Typically speaking, IoT device
operating systems reside on tiny flash storage drives. There is not very much space to work with. Four megabytes is common with routers and security cameras. Compiling the smallest pos- sible size binary is often the pri- mary concern when developing software for these systems. This limits a developer’s
ability to provide security fea- tures, and makes updating the sys- tem very difficult, if not impossible. In contrast to security solutions available for more powerful ma- chines, such as servers and personal computers, there are very few solu- tions available for IoT devices. A few years ago, I began work-
Quality Solutions for Complex EMI/RFI and EMC Filter Requirements
ing with the open source community to help solve this issue, by creating a fork of the aforementioned program “Busybox.” Our fork was deviously named “Busybotnet,” because to this day, embedded systems are constant- ly compromised and repurposed for malicious use as they become part of a “botnet” — a network of compro- mised computers controlled by an at- tacker, commonly used to carry out nefarious attacks over the internet, such as distributed denial of service (DDOS) attacks. In addition to storage con-
straints, IoT/embedded devices often suffer the following vulnerabilities:
l Nonexistent or irregular security
updates. It is typical for an IoT de- vice, such as a wireless access point, to run the same version of the operat- ing system that it shipped with for the duration of its lifecycle.
l IoT devices are often deployed re-
motely. Circumvention of firewalls during deployment commonly leaves these devices exposed to the entire in- ternet, instead of being protected by a proper firewall.
l Longer lifecycles can leave devices
Turn-key and fully integrated approach to design and fabrication of precision electronic components, assemblies and subsystems.
High reliability multi-circuit and discreet feed-through (F/T) input, output, power aerospace applications. WEMS is AS9100D and ISO 9001:2015 registered.
www.wems.com
vulnerable to flaws that have not yet been discovered. It is already chal- lenging to protect these systems against currently known threats.
l Replication — once a particular
model of a device is exploited, there is nothing stopping the attacker from hacking into all other devices of the same variant that are accessible through the internet.
Brute-Force Attack In 2015, someone (who is not me)
ran a brute-force credential harvest- ing attack against a list of random tel-
net devices. They were found on shodan, which is a search engine of sorts. Rather than searching and in- dexing websites for content, search- able through keywords, shodan index- es all of the devices and services that they are running, which are accessible on the public internet. At the time of writing, there are 5,863,528 devices listed on shodan that are running some sort of shodan interface. Also, shodan publishes around two percent of its data. That means
“Telnet is dead. Long live telnet!” — Anonymous
that there are potentially around 250,000,000 devices publicly accessi- ble on the internet. These days, virtu- ally all telnet services are run on em- bedded systems, as telnet as been ob- soleted in favor of the more secure pro- tocal known as secure-shell or SSH. Interestingly, this figure has
not changed over the last few years. In 2015, I ran a port scan of the en- tire internet searching for telnet de- vices. There were approximately 250,000,000 of them. I mention this to help demonstrate that many of the security issues IoT devices suffer to- day have not, and probably will not change in the years to come. So, when someone (who is not
me) was running that brute force at- tack in 2015, they managed to obtain root access to a TP-Link brand wire- less router located in Ukraine. The password was “5up” — just three characters long. The hacker’s first thought was “I wonder how many of these things are out there?” As it turns out, this was the de-
fault root password for every single router of this particular variant. Af- ter extensive scanning, 50,000 more of these devices were discovered. This is before the infamous Mirai botnet, which brought into the spot- light glaring implications of IoT OEMs reusing default passwords. The most pressing issues con-
cerning the Internet of Things are the same issues that have been around for decades. Reuse of default credentials,
failure to provide
firmware updates in a timely or sen- sible manner, and network miscon- figuration will continue to plague the global networking ecosystem. IoT de- vices may be small, but if not proper- ly secured, they can be the single point of failure that takes down an
entire digital empire. Contact: MRO Electric and Sup-
ply Company, Inc., 1652 Old Apex Road, Cary, NC 27513 % 724-504-1339 E-mail:
jzulick@mroelectric.com Web:
www.mroelectric.com r
December, 2019
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86 |
Page 87 |
Page 88 |
Page 89 |
Page 90 |
Page 91 |
Page 92
