The parlous state of IoT device security was put in the spotlight this week in separate communications from security technology companies Kaspersky and Symantec, with Kaspersky’s general manager of ANZ, Anastasia Para Rae, saying Australia is “not ready for the internet of things.”
Kaspersky published a report on insights gleaned from a global network of honeypots designed to emulate IoT devices. It said that attacks started arriving within seconds and “over a 24-hour period there were tens of thousands of attempted connections from unique IP addresses.”
Kaspersky said it had seen a huge increase in the amount of malware targeting IoT devices. “According to Gartner, there are currently over six billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab’s collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017.”
Meanwhile, at a Symantec briefing in Sydney, Samir Kapuria, senior vice president and general manager of cyber security services with Symantec, said unprotected IoT devices were, on average attacked and owned within two minutes of coming online.
The most common use of a compromised home IoT device is to co-opt it into a botnet, but Kaspersky warned there could be much more serious consequences. “A cybercriminal who has gained access to an IoT device could spy on and later blackmail its owner – we have already heard of such things happening.”
Para Rae said: “We have a long way to go to understand the minds of cybercriminals and what it takes for them to harm us. In order to prepared now and the future, it really lies in the simply daily habits of changing your passwords, keeping your mind alert at all times to the dangers online.”
However, this is not an option in many cases: some devices having no security whatsoever. Nick Savvides, who is responsible for Symantec's cyber security strategy across Asia Pacific and Japan, related his own experiences with home IoT devices, uncovering flaws of which most consumers would be blissfully unaware.
“My wife bought a stuffed toy that lets my son record a message, which it sends to my phone. I can reply and it will play him my reply,” Savvides said.
“I played with it and watched the traffic. It has no authentication, no security at all. I said ‘We can't use this’. So now it sits in his room as a $150 stuffed toy.”
Savvides also bought a Wi-Fi connected brewing machine and a Wi-Fi connected barbeque, in both of which he found security flaws that he reported to the manufacturers. The barbeque maker was quick to issue a firmware update. “But to run the firmware update was a horrendous process,” he said. “Most users will never do them.”
Savvides expects a flood of such devices to hit the market. “IoT is the new frontier and Australians love shiny gadgets,” he said. “I went the CES Consumer Show in Las Vegas. The catalogue had 117 pages of exhibitors. Every one of those is making a connected toy or a connected device. They are all going to wash up on our shores and most of them are running some pretty crap operating system.”
Kapuris suggested IoT devices should carry warnings. “Back in the day TVs came with warnings on the back because people were scared of getting electrocuted [old TVs required up to 20kVs to drive the cathode ray tube] or scared of radiation. We don’t have something commensurate to that for IoT.”
However, a TV was a potential threat only to its owner. Compromised IoT devices are a threat to the world.