IoT is full of gaping security holes, says Shodan creator
John Matherly’s Shodan, a search engine that finds Internet-connected devices, can be used for many things: gauging the impact of policies and network security efforts (e.g. patching), finding malware C&C servers, checking how a company we want to do business with is handling security, checking which devices our competitors are deploying (market research), and much more.
For Matherly, Shodan is a means to measure things that couldn’t be measured before. And with the advent of the Internet of Things, the available data set will keep growing day by day.
“The Internet of Things is happening. The world is becoming hyper-connected, whether we want it or not – security be damned!” Matherly pointed out to the audience at Hack In The Box conference in Amsterdam.
An Internet connection is being added to “pretty much everything,” whether it’s a good idea and or not. “Who needs to Tweet from their fridge?” he wondered aloud, but admitted that sometimes an Internet connection for certain devices can be helpful.
Securing the Internet of Things will be an enormous endeavor, but it has to be done. The stakes are much higher – security failures can lead to serious real-world consequences.
Still, making administrators take unsecured IoT devices offline or securing them well is difficult, as Shodan can’t really tell who’s their owner (dynamic IP addresses tell you little).
But, generally, manufacturers are still not that interested in security, he says. Many of the IoT devices they create are accessible over the Internet by default, often so that updates can be easily delivered and problems fixed remotely. Effectively, they open a backdoor to the device, without the users’ knowledge.
Connecting to these devices is also often executed via insecure means. For example, the popularity of telnet for remote logins is still high, even though it provides no traffic encryption, (usually) no authentication option, and has many vulnerabilities.
Most users fail to realize that IoT devices – fridges, TVs, termostats, cameras, billboards, and so on – now come with computers inside them, which means they will have many of the problems “regular” computers have. They see the fact that they are connected to the Internet as a great functionality, and fail to realize the dangers it brings.
They do not think about the huge amount of data these computers collect: usage data, health data, and more. It’s interesting to note that users are usually not comfortable revealing some of this data to a person, but they are somehow comfortable giving it up to a computer.
They also fail to realize that this data is sold and used – anonymized, to be sure, but anonymization is not foolproof, as we’re finding out – and occasionally stored in databases in the cloud without any protection, there for the taking for those who know how to find it.
And even if some users are worried about their privacy, and avoid having these devices in their home or on their person, there is little they can do about IoT devices that are not theirs and surround them when they walk down the street or visit a mall – cameras, trackers, beacons.
As an example of what data can be found laying around, and how easy it is to collect it, Matherly used Shodan to find license plate capture cameras all over the US. And given that many of them store these images insecurely in the cloud, he managed to create a database of over 63,000 license plates in mere 5 days.
He stopped there, and notified the authorities about this problem, but found out that they knew already – they have been told about it by other researchers years ago. And nothing has changed.
“IoT is still full of huge, gaping holes everywhere you look,” he concluded.
Many say that this initial phase will pass, that manufacturers will stop making the most obvious mistakes (whether they do it intentionally or not), that they will begin to consider security a priority from the very beginning of a project, but it’s hard to believe this.
Luckily, we have security advocates – initiatives like BuildItSecure.ly, which tries to push IoT vendors towards security best practices and tries to build partnerships between them and the security community – on our side.