Research: Internet Of Things Security Are Vulnerable, Need To Be Fixed
Shodan: The world's first search engine for the Internet Of Things (IoT) or internet-connected devices by which you can easily know which of your devices are connected to the internet, it also keeps a track of all the computers connected to your network, etc. Recently a new section of it was launched by which you can easily browse vulnerable webcams.
According to Dan Tentler, who is a security researcher and has spent several years in investigating webcam security. He said that
"The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores,""It's all over the place," he told Ars Technica UK. "Practically everything you can think of."
After that Ars Technica, did a quick search and found some alarming results.
Image source: Arstechnica
The reason for the vulnerabilities of these cameras were that they use Real Time Streaming Protocol(RTSP, Port 554) for sharing a video that doesn't have password authentication. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.
According to this new script takes a snap when the shodan was looking for IP addresses with open ports which lack authentication and streams a video feed. While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing.
“the private lives of hundreds of consumers to public viewing on the Internet.” Tentler told Ars he estimates there are now millions of such insecure webcams connected and easily discoverable with Shodan.
That number will only continue to grow.
Tentler told Ars that
"webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20."
"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," he said. "The vendors don't want to lift a finger to help users because it costs them money."
If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing vulnerable IoT devices. Worse, such a quantity of vulnerable devices makes the Internet less secure for everyone.
"The bigger picture here is not just personal privacy, but the security of IoT devices,"
Security researcher Scott Erven told Ars Technica UK.
"As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby's crib."
Security researcher Brian Knopf is leading I Am The Cavalry’s charge for a basic security and privacy rating system for IoT devices, which he hopes to release early in 2016. He shared with Ars some of the preliminary criteria that IATC will use to judge devices:
1. Secure by Default
- No default passwords shared between devices, or weak out of the box passwords.
- All passwords should be randomly created using high quality random number generators.
- Advanced features utilized by a small percentage of users should be turned off (VPN, Remote Administration, etc.).
2. Secure by Design
- Firmware should be locked down, so serial access is not available.
- Secure Element (SE) or Trusted Protection Modules (TPM) devices should be used to protect access to the firmware and hardware.
- All GPIO, UART, and JTAG interfaces on the hardware should be disabled for production versions.
- NAND or other memory/storage mediums should be protected with epoxy, ball sockets (so the memory cannot be removed and dumped), or other methods to prevent physical attacks.
3. Self-contained security
- The devices should not rely on the network to provide security. Rather, the device's security model should assume the network is compromised and still maintain protection methods. This can be done with prompts to the users to accept handshakes between devices trying to access other devices on their networks. Communication between devices should be encrypted to prevent MitM attacks and sniffing/snooping.
- Consumer PII not shared with manufacturers or partners
- Usage data on an individual user is never shared with partners or advertisers.
- Anonymous data for buckets of users on usage patterns is acceptable as long as it's proven not to be traceable back to the individual consumers.
- Data collection policy, type of data collected and usage of data is clearly documented on the site.
Vendors will be invited to submit their pre-production devices for testing, Knopf said, along with the star rating they are applying for. Researchers will then test the devices to ensure they meet the manufacturer’s claims.
“The vendor would then receive a preliminary test report that they could respond to, either to fix items before production or accept the rating,” he explained. “The final report would then be posted online for any consumer to review, or security tester to validate.”