Bad connections

CERT-LatestNews ThreatsStrategic

Documents released by WikiLeaks in March made the public aware of how their smartphones, computer operating systems, message applications and internet-connected televisions could be hacked by the US Central Intelligence Agency (CIA) and used to record conversations.

Some baby monitors with poor cyber security can be turned into surveillance devices, keeping nervous parents up at night worrying who could be looking at their child. A car that is connected to the internet can also be hacked and unlocked with ease.

These are just some of the nightmares people are facing as an unintended consequence of the rapid rise of the Internet of Things (IoT). Many experts say manufacturers need to do a much better job of ensuring that consumer goods that connect to the internet cannot be easily compromised.

“Industry needs to pay much more attention to the security of their connected devices, which compromise the security of users’ personal information, against criminal hackers,” Europol chief Rob Wainwright said last week.

The technology research group IDC has predicted there will be over 80 billion IoT devices by 2025, compared with 11 billion now.

As demand for IoT devices is expanding rapidly, many manufacturers either fail to understand the threat or simply don’t want to invest in security at the expense of profits, says Nathachai Phokairatana, territory manager for Indochina at Rapid7, a data security specialist.

“All IoT devices are coded with security software but the people who do the coding are not responsible for the testing, where many products have gone through inspection with only minimum protection. This has created a lot of loopholes for hackers to steal the information within the devices,” he told Asia Focus.

Troy Hunt, a security researcher and founder of, also warned that as manufacturers try to cash in on the IoT boom, more easily compromised devices will continue to enter the market. (“Pwned” is gamer-geek slang for “dominated” or “controlled against your will”.)

“There’s so much stuff being rushed to market,” Mr Hunt told last week. “Companies are trying to be first with an IoT thing, and rushing to market to get a competitive edge. The egregiousness of the security flaws is outstandingly bad.”

According to Mr Nathachai, personal information stolen from compromised devices is often sold on the black market. Hackers who used to sell credit card information for US$10 per card are finding it more profitable to sell the code to compromised devices and the information gained from them instead.

The results can be devastating. In October last year an IoT-based botnet known as Mirai crashed the servers of Dyn, a company that controls much of the internet’s domain name system infrastructure. The distributed denial of service (DDoS) attack — overloading a server with traffic until it collapses — created chaos for big names including Twitter and Netflix.

What was unique about the assault on Dyn was that the attackers did not use computers. Mirai was largely propagated via IoT devices such as digital cameras and DVR players.

“These devices that were infected are now tools for hackers to remotely control or can be used to gain information that passes through the back door in the database,” Mr Nathachai said.

Even closed-circuit TV can be turned into a “zombie device” that allows others to see into your home or office. Such information can be sold to thieves.

While the threat to consumer devices is serious, a hack involving critical connected systems in sectors such as energy, utilities, government, healthcare and finance could affect millions of people.

“The concern for a cyberattack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example — cyberattacks could disrupt power supply for communities and potentially have impact on life and safety,” Robert Westervelt, security research manager at IDC, told Tripwire in March.

What can consumers do to prevent their devices from tuning into zombies, and what are device makers and suppliers doing to stop future hacking? A good start, of course, is to never use a default log-in and password on a device. Create a strong personal login and password instead.

This is because botnets such as Mirai are constantly searching for devices they can access through a default log-in, as they do not have the ability to discover personal passwords — yet.

For industries at risk, such as baby-monitor makers, the UK-based semiconductor producer ARM Holdings has proposed a new security framework. If adopted widely, it could help instill consumer confidence and improve device sales, company executives told Bloomberg.

The framework has three components, the first being a common industry agreement about exactly what threats connected devices face. The company’s security analysts plan to work with academics and industry specialists to compile such information. The second component will specify how hardware and software should be designed to mitigate these threats.

The last component involves providing customers with free firmware — software permanently stored on chips — that meets the requirements of the new standard. ARM is also proposing that all devices should be able to receive software updates over-the-air, through WiFi, cellular or alternative low-power networks.

To help companies get started on improving device security, ARM has introduced a “secure enclave”, a dedicated chip that handles cryptographic operations. A second component offers a secure method for finding and fixing bugs in chips and firmware. Many smaller chips do not now have a secure way to perform these tests.

“We’ve talked to a lot of companies and they are excited,” Rob Coombs, security director of the IoT device group at ARM, told Bloomberg. “We believe we have wide industry support.”