This week's news that over two million IoT devices are vulnerable to attack gets to the heart of the problem with IoT: a polluted and unaccountable supply chain.
The devices are vulnerable thanks to a significant bug in software that they share, warned cybersecurity researcher Paul Marrapese. He detailed the flaw on a dedicated site after getting no response from the vendors responsible.
One promise of IoT devices is that you can connect to them from wherever you are. You might want to check on a home security camera while on holiday, for example. With traditional network home devices, you have to use something like port forwarding on your home router to reach them.
Instead, peer-to-peer (P2P) technology lets you connect to them using a unique serial number. P2P is a technology feature in many connected devices that lets you find and connect to them online without any extra configuration.
The problem lies in an insecure version of P2P software called iLnkP2P, explained Marrapese. Hundreds of different IoT vendors use this software, made by Shenzhen Yunni Technology Company, Inc.
The software contains two vulnerabilities. The first lets an attacker quickly guess the serial numbers for many other connected devices due to a predictability flaw. Because P2P lets people connect directly with devices if they have the unique ID, attackers could use this flaw to query these devices at scale.
The second bug lets attackers intercept connections to a device, sniffing any data that a person exchanges with it. This includes not just video streams but also login credentials, which would give them full access to that device.
That's an interesting bug, because it would work around one of the provisions in California's SB-327 IoT security bill. The legislation, which comes into force next year, compels companies selling IoT devices in the State to ensure that each one has a unique password, or to force users to create one when they turn it on for the first time. However, the bug reported this week would enable attackers to steal even unique passwords, amplifying suggestions that the legislation was too weak.
What's depressing is the sheer lack of interest from the companies responsible for developing this software and using it in their products. In his disclosure timeline, Marrapese showed how he initially disclosed the information to device vendors in mid-January, chasing them twice.
After receiving no response, he found the developer of the software in early February and tried that company instead. After contacting it twice with no response, he was forced to report the vulnerabilities to the CERT Coordination Center, which related them to its Chinese counterpart. Only after all that did he finally go public in late April.
The digital supply chain feeding the growing IoT industry is one of its biggest liabilities. Hundreds of vendors use the same software and firmware for their products, meaning that unchecked security bugs make their way into many different devices. Unfortunately, most of these vendors are overseas, which puts them out of direct regulatory reach.
The immediate answer, other than manually blocking P2P? Buy a device from a reliable vendor, warned Marrapese. “Research suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk,” he said.
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
