NEW YORK — Smart-home devices and other "Internet of Things" gadgets need to be secured now, lest there be more attacks like the one that knocked out large parts of the internet this past Friday (Oct. 12). That was the consensus reached by a panel of security experts who spoke here today (Oct. 24) at a conference organized by the National Cyber Security Alliance.
"Prior to today, IoT security might have been debatable," said Neil Diswani, chief information security office of the identity-protection firm LifeLock. "But now, that's no longer the case."
Yet while the experts agreed on the end goal, they couldn't agree on how to get there. Some advocate government regulation to mandate smart-home security, while others argue that the free market would force IoT vendors to incorporate security as consumers rejected unsecure devices.
"We can't make the same mistake we made with the internet, where security was an afterthought," said Sami Nassar, vice president of cyber security solutions at Dutch chipmaker NXP Semiconductors. "We should think of security by design, from the get-go."
All five panelists agreed that that was a worthwhile goal, but while Diswani said he hoped industry self-regulation would lead IoT manufacturers to incorporate better security, another speaker countered that only government intervention could solve the issue.
"Banks eventually got to the point where they realized that the number of trusted devices is zero. You have to assume that the network is compromised," said Matthew Cook of Panopticon Laboratories in Columbus, Ohio.
"I haven't seen any evidence that even when the users are very, very motivated, it's easy to get manufacturers to change practices," Cook added. "I spent seven years trying to get banks to self-regulate, but they didn't until regulation was imposed."
Battling the Mirai Botnet
The network outages in North America this past Friday were caused, at least in part, by distributed denial-of-service (DDoS) attacks launched by the Mirai botnet. That's an aggregation of thousands of DVRs and networked cameras — infected and controlled by persons unknown — that was directed to bombard Domain Name System (DNS) servers with floods of useless requests that overwhelmed the servers on Friday.
In August, the Mirai botnet was responsible for one of the largest DDoS attacks ever recorded. Since then, the Mirai source code has gone public, with the result that any half-skilled online miscreant can use it to infect even more IoT devices and create more botnets.
Mirai malware works because many IoT devices have the same default administrative usernames and passwords. Consumers rarely change those credentials — in many cases, the consumer isn't even told they exist or can be changed. Mirai scans the internet for such devices and tries the admin credentials on each one it finds, then reconfigures vulnerable devices to be part of its botnet.
How to Secure Devices
The problem of default credentials is hardly limited to DVRs and cameras. Millions of home Wi-Fi routers — the literal gateway to the internet for most home users — still use default credentials, exposing their users to attack. Millions of smart locks, fitness bands, smart refrigerators and other devices have the same problem, some of them even transmitting their Wi-Fi passwords in the open air for anyone to intercept.
"If your webcam can be taken over to attack a nation, how about when that same technique can be used to spy on your children?" asked Andrew Lee, CEO of the North American division of the Slovak antivirus maker ESET. "What if your Wi-Fi password is leaked by your doorbell? The volume of data that these things are sharing and collecting without any human interference can create a large attack surface."
"I call it the Internet of Me," said Michael Kaiser, executive director of the National Cyber Security Alliance. "For these devices to actually function, they need to know a lot about you. For your smart thermostat to function, it needs to know when you come home."
But even then, the experts failed to agree on how to secure the devices. Lee argued that consumers needed to be educated to change administrative credentials as soon as each smart-home device comes out of the box.
"We need to start locking down these devices by changing default passwords," Lee said. "How do we teach people we need to change passwords on these devices as soon as you turn them on?"
Nassar implied that manufacturers should bear the burden.
"With brand comes responsibility," he said. "There is a liability issue. You need to have minimum rules and a minimum level of security. ... if you build it from the get-go with security in mind, security becomes a driver of business."
Diswani argued for the establishment of third-party organizations, similar to Underwriters Laboratories, that would certify Internet of Things devices as safe to use. (Famed hacker Peiter "Mudge" Zatko and his wife Sarah Zatko have created such an organization.)
"Putting badges on things can help with communications for consumers," Diswani said.
In response, an audience member asked, "How many people are checking for that UL seal at the bottom of the device?"
"Not many," Kaiser replied.
"This won't be finished tomorrow, and won't be finished next year," Cook said, adding in an understatement, "IoT has some very specific challenges."