Written by: Guest | Best Company Editorial Team
Last Updated: July 8th, 2020
Guest Post by D. Greg Scott
This is Part 1 of a two-part series. Read Part 2 here.
A few years ago, a sales rep approached my wife and me at Sam’s Club with a pitch about door locks we could control from anywhere. I could install an app on my cell phone and use it to lock or unlock the doors. No more worrying about house keys.
This could be useful if, say, I’m shopping at my neighborhood Sam’s Club and a family member needs to unlock the door. I could do it from down the street or halfway around the planet by tapping on my cell phone screen.
As a cybersecurity professional, I was intrigued. How did these door locks know it was me, and not somebody pretending to be me, manipulating them? I expected an answer about a password, or a login, or some means to prove I’m me. It would have been fun picking it apart. Instead, he made my jaw drop:
“It runs on the Ma Bell Internet network, and everyone knows that’s secure, right?”
Except for the name of the internet service provider, that really is what he said. I still chuckle when I think about it. I hope the door lock company either took that poor product off the market, or retrained the sales rep who represented it poorly.
Anyone who buys a thermostat, door lock, baby monitor, kitchen appliance, or other smart home device connected to the internet needs a few consumer tips about these new IoT (Internet of Things) devices.
Prove You’re You
First, make sure your device has a well-thought-out method to make you prove you’re you before it lets you access it. Watching your baby sleep from your cell phone at work is reassuring. A stranger watching your baby sleep from a van across the street is gut-wrenching.
Anything exposed to the internet should use two factor authentication these days. The idea is to provide both something you know and something you have to prove you’re you. Most implementations use username/password credentials – something you know – and then the contents of a text message to your cell phone – something you have. Granted, this is a hassle. But if you made a neighbor mad a few months ago and they impersonate you and turn your thermostat down to zero, and your pipes freeze in the middle of a Minnesota winter while you’re on vacation, it’s an even worse hassle.
Another thing to look for is a credible update strategy. Consumers need to realize, there’s no such thing as bug-free software. And that means IoT device manufacturers need to provide a long-term support strategy with an easy way to deliver updates.
Implementation details are crucial. Some manufacturers use an undocumented set of credentials to automatically push out updates. “Secret” backdoors like this are a security minefield, because secret backdoors don’t stay secret for long. We call this security by obscurity in the industry, and it’s a well-known path to disaster. Never buy an IoT device that depends on a secret only known to the factory for updates.
When devices “phone home” for updates, they typically check with a manufacturer website, hopefully using the latest encryption standards. Manufacturers might advertise they use encryption, but this is only the tip of the security iceberg.
How does your device “know” the manufacturer website really is the manufacturer website and not an imposter? If I’m an attacker, and I know Acme Refrigerator Company has a million customers, I might pour energy into, say, a DNS poisoning attack to redirect all those software updates to my evil website. DNS poisoning attacks are difficult to pull off at scale, but if successful, I’ll convince a million refrigerators to download my compromised software update, and then I’ll own a million refrigerators.
This is a big deal, not because I can spoil food in a million households, but because I now control a million internet-connected devices inside a million homes. It doesn’t matter if they’re refrigerators, thermostats, security cameras, or Wi-Fi hair brushes. I’m inside a million homes and can look for anything of interest on your computers, cell phones, or other devices. With a sample size of one million, I’ll find a few useful nuggets.
Or, with a million internet-connected devices under my command, maybe I’ll use those to launch a DDOS (Distributed Denial of Service) attack against somebody I don’t like. Something like this actually happened in 2016, after security blogger, Brian Krebs made a few internet crooks mad. Attackers didn’t even have to compromise a software update – they exploited a bug with thousands of internet-connected security cameras and launched the largest DDOS attack in history to that time. They temporarily knocked Krebs and several others off the internet for days.
Manufacturers use the same PKI (public key infrastructure) technology to defend against impersonation attacks as online retailers.
But then, why bother to poison where you go for updates? Why not break into the software update site and poison the update itself? The Russians did this to a popular Ukrainian accounting program in 2017 and nearly shut down the whole world. Somebody could do the same thing to a poor quality device manufacturer.
Questions that need answers
Ask these questions while shopping. Demand satisfactory answers, or take your business elsewhere.
- When I’m controlling this thing from the other side of the internet, how does it know I’m me?
- How do updates work? When did this product first become available?
- When it its end of life date? How often and how long will updates be available?
- I want to control updates and I want an easy way to do it. How does this device “know” it’s interacting with the real update site?
- Do some internet searches. What do other people say about this device? Do the one and two star reviews have any common trends? Does anyone from the manufacturer respond?
Find a device you like, bring it home, and then the fun begins. These devices don’t deploy themselves and you want a buffer between your new smart home and the public internet.
D. Greg Scott is an author and cybersecurity professional. Check out Greg’s novels on his website.