One of the ‘subplots’ of the Internet of Things revolution concerns embedded devices. Specifically: the tendency of embedded devices to be either loosely managed or – in some cases – unmanageable.
The future holds the promise of more, not fewer of these. That’s the gist of a piece I wrote for InfoWorld, and that you can read here.
In short: we’re already seeing the beginning of a shift on the threat landscape. While attacks against traditional endpoints (like Windows desktops, laptops and servers) are still the norm, there are more stories each day about cyber criminal groups and malicious actors who are compromising non-standard endpoints like home wifi routers. In March, for example, the security consultancy Team Cymru identified a botnet consisting of some 300,000 compromised home routers and other in-home devices. The virus called “TheMoon” was also identified spreading between vulnerable home routers and other embedded devices.
The truth is most of these devices have been getting by on ‘security through obscurity.’ With a wealth of vulnerable Windows systems, in other words, what self-respecting cyber criminal would waste his or her time trying to crack some arcane embedded OS or hardened Linux distribution?
But these days, Windows is harder to hack, while attackers have gotten hip to the fact that embedded devices often don’t need to be hacked at all; many come with hard-coded administrative accounts and little in the way of built-in security features or logging that will allow administrators to recognize when something’s gone amiss.
Individually, these don’t amount to much. But, writing in April, the firm IOActive warned that millions of vulnerable broadband routers deployed in homes and small businesses could add up to a big problem for the Internet Service Providers to which they’re connected and, by extension, to society at large.
Writing on the IOActive blog, researchers Ehab Hussein and Sofiane Taimat say that millions of vulnerable home routers and gateways are vulnerable to trivial attacks. Those devices could be harnessed by cyber criminal groups, state-backed actors or hacktivists for malware distribution, spam or crippling denial of service attacks on the ISPs that manage the devices.
And, speaking at our recent Security of Things Forum, In-Q-Tel CSO Dan Geer warned that the proliferation of smart, embedded devices that are both long-lived and unmanageable creates the conditions for massive disruption if flaws and other exploitable vulnerabilities in common components used across commercial environments and critical infrastructure lead to what he terms “common mode” failures and crippling cyber attacks.
Such systems — smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — may be of negligible importance individually, but already pose a serious threat “at scale,” Geer warned.
“That combination — long-lived and not reachable — is the trend that must be dealt with, possibly even reversed,” Geer said.