The Internet of Things
By Cody Shultz and Alec Harris
When the internet was first conceived, identifying devices through which to route traffic was possible through something known as internet protocol addresses. At its inception in the late 1970s, IPv4 nomenclature offered the astounding capacity for 2^32 (4.3 billion) unique addresses. After twenty years the internet was already running out of addresses, and the explosion of connectivity and the ubiquity of network connected devices, the “Internet of Things,” (“IoT”) spelled trouble. Enter IPv6 with its ability to support 2^128 unique addresses. In terrestrial terms, that’s enough for each atom on Earth to have its own IP address and still have enough IP addresses for each atom on another 100 Earths.[1]
With the expansion of capacity comes an unchecked rush to put every object online. As my colleague Alec Harris notes, “there used to be an actual separation between cyberspace and ‘meat space’; not so much anymore. If the Pet Rock came out today, it would be IoT enabled.”
IoT is hard to escape. When you close your laptop at night dozens of “convenient and benign” devices still run in the background…unmonitored. Every connected device is a potential attack vector. In the modern smart home, you might have internet-connected cameras, home alarms, light switches, speakers, appliances, and children’s toys.
Wi-Fi enabled light switches may seem like the most innocuous IoT device but consider the implications. The average American consumer has a single home network, meaning these light switches are connected to the same subnet as the rest of your devices (e.g., your laptop or cell phone), meaning they can talk to each other, and thus, talk to the internet.
Do you think the manufacturer of your $7.00 device spent significant resources or time developing secure firmware, encryption, or device security updates? Unlikely. If the device was created as malware, or the less offensive sounding, but still just as dangerous, AdTech, then you not only voluntarily placed that device on your home network, but you paid for the privilege.
Security researchers from ESET IoT Research found, for example, that some smart home hubs[2] allowed “an attacker to perform unauthenticated remote code execution as root user.”[3] This vulnerability allows adversaries to take control of the compromised device, allowing them to access other connected devices on the same network.
Yet not all security risks with the IoT are due to sinister design or flawed software code but have evolved to have significant risk. As Lauren Bridges wrote in her article for The Guardian, “Ring video doorbells…pose a serious threat to a free and democratic society…What’s more, once Ring users agree to release video content to law enforcement, there is no way to revoke access and few limitations on how that content can be used, stored, and with whom it can be shared. Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen.” [4]
It may seem unlikely that your specific device would be targeted, but consider Shodan.io, the website that says it allows users “to discover which of your devices are connected to the internet, where they are located, and who is using them.”[5] It’s easy to see the utility for some ill-intentioned third party to locate that one unprotected “smart” device on your network that grants them access.
There are mitigation strategies, though. Keep these tips in mind as you start plugging more devices into your electrical outlets, and your home network.
· Your coffee maker has no need to talk to the internet, and you don’t need Twitter on your fridge. Buy a different model.
· Set up your home network with at least two separate local area networks (“LANs”). The more segmentation the better, but at least have on LAN for IoT and another for devices that need connections (e.g., phones, laptops, tablets).
· Aggressively configure your home firewall. Disallow all inbound connection requests excluding return traffic originating from an internal source such as when your laptop talks out to a website.
· Tag everything on your home network. If you know what everything is, it’s significantly easier to identify a rogue device.
· Downsize. Fewer devices equal fewer attack vectors.
· Keep your devices updated with the latest firmware and security patches.
· Create all IoT device accounts anonymously with throw away credentials. In the event of a device compromise, you don’t want to have to deal with identity theft on top of it.
[1] Mark Goodman, Future Crimes p287
[2] Hardware devices that allow multiple smart home devices from different manufacturers to communicate with each other.
[3] https://www.welivesecurity.com/2020/04/22/serious-flaws-smart-home-hubs-is-your-device-among-them/
[4] https://amp-theguardian-com.cdn.ampproject.org/c/s/amp.theguardian.com/commentisfree/2021/may/18/amazon-ring-largest-civilian-surveillance-network-us
