Internet of Things Zombies

Forget the IoT. Meet the IoZ: our Internet of Zombie things

The end starts slowly, and then comes all at once in most fictional depictions of the ‘zombie apocalypse’. In HBO’s The Last of Us, based on the post-apocalyptic plot of a classic video game, a mutated strain of the Cordyceps fungus turns its human hosts in to twitchy, cannibalistic zombies. Human civilization is brought to its knees in a matter of days. There’s also a quick collapse in the comic book series The Walking Dead. Then there’s Station 11, another post-apocalyptic story on HBO, adapted by the novel by Emily St. John Mandel, in which a virulent strain of influenza wipes out 99.9% of humans in the space of a couple weeks.

In reality though, disease and illness work their “magic” on human society gradually and over much longer periods of time: new diseases spread, people get sick and die, societies adapt but the disease leaves its mark.

I think that kind of slow rolling crisis that slowly undermines and weakens a system is a good image to keep in mind as we contemplate a less talked-about “zombie apocalypse:” the one that is bubbling up among our connected stuff on the fast-growing Internet of Things.

A growing drumbeat of IoZ incidents

As with other zombie invasions, this one is starting quietly: quirky, isolated incidents are making headlines here and there. They attract some attention, but little awareness of the larger, looming crisis.

The high school that will not sleep

In Massachusetts, for example, the lights at Minnechaug Regional High School have been burning nonstop since August, 2021 after lighting system software failed and the school was unable to contact the vendor, which had since been acquired, according to media reports. The issue has cost the public school in Wilbraham, near Springfield, thousands of dollars a month. Saturday Night Live even included a bit on the incident in its Weekly Update.

SNL poked fun at one recent IoZ sighting: a high school in Massachusetts that has been unable to turn off its lights.

A smart hub die off

There was the smart home hub maker Insteon, which collapsed in April, 2022, leaving thousands of customers cut off from the company’s servers and without access to many of the features of the hub they purchased. After going dark for two months, the hubs blinked online again in June of last year under new ownership, and with a new $40 annual subscription to access features of the device that were previously available at no cost, according to reports. (Though less chaotic, Samsung engineered a similar “slip out the back, jack” plan for its circa 2013 SmartThings Hub and SmartThings Link smart home devices in June, 2021, forcing users to upgrade to newer hardware.)

Pet feeders and NetCams go dark

Then there was the smart pet feeder maker PetNet, which went dark in April, 2020, citing the disruptions caused by the Coronavirus. That left its customers with non-functional devices, though , as news reports noted, the company had been struggling financially and experiencing frequent service outages for its cloud-connected pet food dispensers well before COVID-19 began spreading.

Around the same time that PetNet was nodding off, smart home device maker Belkin shut off its Wemo NetCam products, disabling its iSecurity+ video cloud service and rendering its NetCam home security cameras useless and its customers stranded without a way to access or control remote cameras.

Zombie IoT hacked back to life

More and more, the Internet is littered with abandoned IoT products and infrastructure, with dire security consequences. The security researcher Kevin Chung recently demonstrated this when he wrote about discovering and resurrecting a zombie IoT company: NYCTrainSign, an IoT start-up that sold at-home versions of the signs that hang over platforms on New York City’s subway platforms, but flamed out pre-pandemic.

After buying some zombie NYCTrainSign hardware, Chung was able to reverse engineer the software and even acquire an abandoned domain that the zombie signs communicated with. That allowed him to feed deployed sign a “malicious sign ID,” run arbitrary commands on the hardware and then register the zombie signs to his new control server.

In the case of NYCTrainSign, Chung’s goal was to give owners control of their darkened signs again. However, in the hands of a malicious actor, the situation could have played out differently. In fact, zombie devices already fuel malicious botnets like Mirai or RSOCKS, a now defunct Russian-controlled cybercriminal botnet made up of hacked industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers.

The tip of an enormous iceberg

This growing population of zombie IoT devices poses problems for consumers, as well as our economy at large. That’s because the “Internet of Things” has grown much larger and encompasses much more than just home routers, nanny cams and smart kitchen appliances.

The xIoT, or “extended Internet of Things” is a term that is sometimes used to refer to the broader ecosystem of ‘smart,’ ‘connected’ technologies that includes the Internet of Things (IoT), Industrial Internet of Things (IIoT), Network Devices, and Operational Technology (OT) systems, according to a recent report (PDF) released by the security firm Phosphorus. That ecosystem may already encompass 50 billion devices globally and is projected to grow at 20% annually.

Despite that, many device makers don’t practice secure development, with “expedited development processes (that) don’t always follow a proper software development lifecycle (SDLC) when developing their own code,” Phosphorus noted. “Security testing is often a casualty, and devices commonly ship with vulnerabilities built-in.“

Even worse, Phosphorus found in a survey of xIoT devices that more than a quarter of them – 26% – were designated “end of life” (EOL) by their manufacturer, meaning that the product was not entitled to continued hardware or software support or further updates.

“This is only the tip of the iceberg – an enormous iceberg” wrote Ming Chow, a professor of computer science at Tufts University. “Thanks to the acceptance of putting in a computer into everything, we will be seeing quite a lot more waste in the future –whether wasted energy or electronic waste in landfills, and more devices getting hacked.”

“It’s definitely a problem,” said Joe Grand (@joegrand), a legendary hardware hacker and the founder of Grand Idea Studio. “From a user perspective, the proper ‘fix’ is to not give your money to IoT vendors that require network access or reliance on their backend in order to function,” he said.

Lots of IoZ proposals, little action

The problem of abandoned software and software-powered artifacts isn’t new. Almost 10 years ago, In-Q-Tel CISO Dan Geer foresaw the IoZ problem and proposed that abandoned code bases be turned over to the open source community to maintain in perpetuity. Absent that, Geer has proposed a programmable “kill switch” with which abandoned but Internet connected devices can be taken offline, reducing the population of vulnerable devices subject to exploitation.

In the intervening years, however, there has been little movement at the state- or federal level to mandate such changes in the smart device ecosystem. The consequence: device makers of all shapes and sizes continue to roll out vulnerable software and connect devices to porous ecosystems ripe for abuse.

The recent revelations by the researcher Sam Curry (@samwcyo) about rampant flaws in the security of automobile telematics software are just one example of that. As we wrote about: Curry and a team of researchers discovered numerous, trivial flaws in telematics systems used by 16 separate car makers and powering millions of vehicles.

Curry’s work came more than seven years after Charlie Miller and Chris Valasek’s demonstration of a remote, wireless software-based attack in 2015 that saw a Jeep Wrangler controlled by a remote attacker and driven off a U.S. highway. And yet, there is still no federal cybersecurity standard for automobiles that automakers must adhere to.

Outside of the automotive industry, there is even more ample evidence of woeful security. Phosphorus’ research found that 68% of xIoT devices are operating with high-risk or critical vulnerabilities (those with CVSS scores of 8-10).

That foundational lack of security affects both IT and physical infrastructure. In June, 2022, for example, the security firm Trellix unveiled the discovery of four zero-day vulnerabilities and four previously patched (but never disclosed) vulnerabilities in HID Mercury access panels, a widely used building access system. If used, the vulnerabilities would give a remote attacker full system control over the door access system, including the ability for an attacker to remotely manipulate door locks.

Uncle Sam (kind of) focusing on cyber safety

There has been some response from the federal government. A law signed in late 2020 set security rules for device makers who sell directly to the federal government. Outside of the federal marketplace, however, the approach is still to lean on “market-based approaches” and voluntary compliance with cybersecurity “guidance” for makers of smart, connected stuff.

That may be changing. In addition to the passage of The Internet of Things Cybersecurity Improvement Act of 2020, the Biden Administration is in the process of assembling an Energy Star-like rating system for Internet of Things device cybersecurity. While these will be voluntary and won’t compel device makers to follow best practices in designing or deploying devices, they may empower consumers to make smarter buying choices and reward companies that make their devices more secure and secure-able.

Cybersecurity and Infrastructure Security Agency (CISA) head Jen Easterly (@cisajen) has likewise called for industry to improve the cybersecurity and safety of the products it produces, citing the automobile industry as an example of an established industry that embraced a culture of safety.

“The readily apparent safety issues with cars also led to a simple solution: government action to compel adoption of specific security measures with proven better outcomes. Whether automobiles or other sectors such as aviation or medical devices, it took crisis to force people to focus on the need for additional safety measures,” Easterly and Eric Goldstein wrote in Foreign Affairs. “A safety crisis is already here in the cyber-realm, and now is the time to address it.”

Historically, however, seat belt availability in cars was a direct result of a 1968 federal law that mandated seatbelts in new vehicles. Furthermore, use of seatbelts by drivers increased from less than 15% in the late 1970s to more than 90% of drivers in 2020 because of the introduction of state-level seatbelt use laws in the mid 1980s and 1990s. Such laws now cover most US drivers.

Needless to say, no equivalent laws exist governing safety features for IoT devices.

What’s needed is for manufacturers to take more responsibility for the products they release to the public. Grand notes that he helped to design an early IoT product, the Chumby- a kind of smart clock-radio, in the early 2000s. Though the company that marketed and sold the device ceased operating in 2012, the servers that keep Chumby devices working are still online, more than a decade later, while the Chumby hardware designs have been turned into open source, Grand said.

To mandate such behavior, legal experts have proposed that existing product liability laws may be brought to bear: forcing device makers and their partners (suppliers, telecommunications companies) to take responsibility for damages caused by faulty or vulnerable products.

IoZ preppers?

Many security experts – and even consumers – are skeptical of connected device features. According to recent reports, half of consumers refuse to connect smart appliances to their home networks – either for lack of knowledge or desire, or because of concerns about security and privacy.

In the meantime, cybersecurity experts increasingly voice a kind of “prepper” approach to IoT security: steering clear of Internet connected products if possible in favor of “dumber” alternatives that are more reliable and maintainable.

“I am now part of the ’buy-it-for-life’ following –durable, quality, and practical goods,” wrote Chow of Tufts, referring to the subreddit of the same name. “A few months ago, I bought a new washer and dryer set.  Many washers and dryers are now IoT devices.  I purchased a brand new set that is completely analog with knobs and an agitator in the washer.”

However, Chow acknowledges that the more durable, analog appliances – which dispense with the data harvesting and ‘you are the product’ business model will be more expensive for consumers that wish to adopt that approach.

Grand agrees. “an even easier solution is just don’t use IoT at all, though that’s probably not practical for most people,” he wrote.