Vulnerabilities Lurking Far And Wide In IoT Ecosystem

The Internet of Things (IoT) promises to revolutionize the way people live and work. But while the media’s attention is focused on high-profile Internet of Things firms like NEST, the smart-home products vendor that Google acquired for more than $3 billion last month, much of the innovation in IoT – at least in the consumer market – is a bottom-up, grass roots phenomenon.

Zach and Mark
Zach Lanier and Mark Stanislav of Duo Security speaking at the B-Sides San Francisco event.

Quietly, the combination of ready-made components, point and click development environments and cloud based back end management tools has enabled an army of (mostly) novice developers to assemble novel, connected products for a public enraptured with the idea of using their mobile devices to control something — anything.

At the same time, crowd-funding platforms like Kickstarter and Indiegogo have created a platform for products to get funded and distributed to hundreds, thousands or even tens of thousands of customers – once a monumental task. 

That’s great for the nascent Internet of Things and for the public – until it isn’t. Increasingly, security experts worry that too many connected devices – and the tools to create them – lack even the most basic security features. While they break down barriers between technology consumer and technology producer, these tools and platforms may also be sowing the seeds of chaos, planting powerful, Internet connected sensors in homes and offices that are highly susceptible to attacks and compromise.

Speaking at the B-Sides San Francisco mini conference on Sunday, Mark Stanislav and Zach Lanier, both of DUO Security, said that their research into Internet of Things devices has turned up a wealth of worrying problems with IoT products and the platforms that support them.

The two identified a number of pain points for an Internet of Things marketplace that it still embryonic. Among them:

  • Hardware: The prevalence of common components poses the biggest threat to nascent IoT startups, according to Stanislav and Lanier. Inexpensive mini-computers, micro controllers and systems on a chip (SOCs) like Raspberry Pi, Wunderbar, Sparquee, BeagleBone and Arduino have made it possible to quickly assemble powerful, portable connected devices for personal use and the mass market. In just one measure of the interest, Thomas Almholt, the hardware application manager for low power RF products at Texas Instruments, told an audience at IOTFest on the campus of MIT on Saturday that his company has sold 100,000 of its Bluetooth Low Energy (LE) development kits in recent months. That’s great for experimentation and will fuel a rapid expansion in the population of intelligent ‘things.’ But common platforms running common firmware could easily become fertile ground for vulnerabilities and attacks, the two warned. “You end up with a situation where one bug rules them all,” Lanier said.
  • Platforms: Just as commodity hardware has made it easier for  hobbyists and small start ups to create devices, a variety of development environments and platforms like Relayr provide SDK (software development kits), APIs (application program interfaces) and a point-and-click development environment that makes it possible for even novice developers to write applications for novel IoT devices. Unfortunately, such tools often mask the complexity of underlying code – or hide it from the developers altogether, the two found. Applications created using tools like Relayr often transmitted verbose chunks of JavaScript – all in clear text and readable- with information that identified the device in question an the environment in which it operates, Lanier said.

The security of third party software components is a hot topic among application security experts. On the one hand, consumer-focused products and services like DropBox.com are becoming a kind of “shadow” supply chain at many companies – software applications that are exempted from the kinds of scrutiny that traditional software suppliers get (at least in theory). IoT is exacerbating with a deep reliance on reusable, open source components and other packaged code that can be dropped into an application and used, often with little or no consideration of security.

BuilditSecurely
Builditsecure.ly is a site to help guide smart device developers in secure design principles.

To help educate the nascent IoT development community about the challenges facing IoT applications and products, Lanier and Stanislav launched a new web site, BuildItSecure.ly, with a goal of educating smart device makers ‘security conscious’ during the design and deployment of smart devices and to create an incentive for independent security research and reporting of flaws in connected devices.