Most suppliers notified of security and privacy issues in their smart products are “intransigent” and make no effort at all, according to security researcher Ken Munro, senior partner at Pen Test Partners, which specialises in the security of internet of things (IoT) devices.
“I have spent the past five years fighting manufacturers of smart products and trying to influence behaviour and make products more secure, but, by and large, I have failed, because the security of smart devices is actually getting worse,” he told the EEMA ISSE 2018 cyber security conference in Brussels.
Munro and his colleagues have exposed the security vulnerabilities in a range of IoT devices, including Samsung smart TVs, door locks on Mitsubishi Outlander vehicles, the Cayla interactive doll, the iKettle and the Swann home security camera.
While some of the larger brands, such as Ring, now owned by Amazon, and BB-8 toy makers Sphero, licensed by Disney, have been good about responding to security vulnerability reports, Munro said most suppliers are startups or bigger brands buying in third-party products.
“These organisations typically do not have the resources, and it has never been on their radar to do security – that’s why I think we need to have some big sticks to ensure manufacturers put in some very basic security,” he said.
When security vulnerabilities are discovered, Pen Test Partners follows a policy of responsible disclosure to the manufacturers to give them an opportunity to fix it before going public with the findings.
“My experience with almost every single IoT supplier we have ever disclosed to – and we have done two to three disclosures per week for the past four years – is that they simply ignore us, nothing happens and they carry on selling their product, profiting out of making people vulnerable,” said Munro.
IoT widely used in business context
While IoT is generally thought of in terms of consumer products, he pointed out that some IoT systems are widely used in the business context such as building management systems that control the heating, cooling, door locks and fire alarms.
“It is important that businesses think about the IoT devices they have in their environments. The gap between IT and services often creates opportunities for technology to cause problems, and so there are some key questions businesses need to ask suppliers, retailers, hardware manufacturers so you know whether you are buying a good product or one full of security vulnerabilities.”
Munro said he was able to buy a controller of a business management system online and was able to find vulnerabilities that could be exploited to discover the password of the embedded server that would enable an attacker to take complete control of the building management system.
“According to Shodan, the search engine for embedded devices on the internet, hundreds of these controllers have been put into organisations by third-party installers and put straight on the internet for remote access and control, which means an attacker could do things like unlock doors and set off fire alarms to force an evacuation of a building,” he said.
Munro even discovered that some of the devices had been infected with cryto-mining malware to generate cryptocurrencies for cyber criminals.
In recent days, he said Pen Test Partners have been working on third-party car alarms. “So far, we believe that over five millions cars can be located, unlocked and the engine started and driven away, so in general, IoT security is a train wreck,” he said.
Cayla doll ban
Among some of the good things happening, said Munro, is that the Cayla doll has been banned in Germany because the device violates a telecommunications privacy law and has been subject to action by several consumer protection organisations.
“A Norwegian consumer council had the doll banned by several retailers, which shows you can pressure suppliers into behaving by hurting them commercially, and some big reputable retailers in the UK are starting to refuse to stock vulnerable product, while in the US, they are looking at stopping the US government and agencies from buying an insecure product,” he said.
Although this is a good start, Munro said there is still a long way to go and he would like to see some basic regulation.
The UK has so far stopped short of regulation, electing instead to publish a Secure by Design voluntary Code of Practice (CoP) in October 2018 that was developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).
While the final version of the CoP is largely unchanged from the draft version, it has been revised to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned Data Protection Act to facilitate regulatory implementation in future.
Initial draft did not address refusal to follow guidelines
Speaking to Computer Weekly, Munro said he was uncomfortable with the initial draft of the CoP because it did not address enforcement if suppliers refused to follow the guidelines.
“However, the final code of practice showed how existing legislation such as the GDPR could be brought to bear against poorly secured smart products.
“The CoP is a great start, but there is still more to be done,” he said. “I would like to see fresh primary legislation in the IoT arena in the UK, but this will take time. It would also be reasonable to let the CoP guidance ‘bed in’ with manufacturers. If they don’t start to change behaviour, that would be the time for regulation.”
Munro believes giving consumers the right to return vulnerable smart products for credit will create financial incentives for manufacturers to improve security, as will retailers committing to not stocking vulnerable smart tech, backed up by trading standards legislation. He would also like to see manufacturers delivering product security updates for the foreseeable life of the product.
“I think demonstrating security in a product will actually drive sales because if someone can buy a smart thermostat and know it is secure, that will increase sales in the market,” Munro told ISSE attendees.
The proposed European Cybersecurity Act, however, covers only corporate and medical devices, including critical national infrastructure, but is currently voluntary for consumer devices, he said.
“That’s a real shame, because consumer devices are as much of threat because we have shown how attackers could aggregate smart thermostats and take the electricity grid. I think we have to bring in regulation – we have no choice.”
Munro said the bipartisan bill to mandate baseline cyber security requirements for IoT devices purchased by the federal government currently going through the Senate is a “brilliant guide” that lists seven basic requirements and “even defines firmware”.
“It is simple, and we could learn so much from that,” he said. “It would enable us to say this is what we want, and then we can start to build up the next layer of accreditations and the next layer of regulation – but let’s do the basics first.”