Bearing the blame: who’s responsible when IoT gets hacked?

An invasion of privacy, an insecure channel for exploiting the individual, an unnecessary form of automation, a super gateway for powering botnets; all of these accusations have been levelled at the Internet of Things (IoT), and with some justification, argues Ken Munro, Partner, Pen Test Partners

An invasion of privacy, an insecure channel for exploiting the individual, an unnecessary form of automation, a super gateway for powering botnets… All of these accusations have been levelled at the Internet of Things (IoT) and with some justification. The ludicrously poor security of these devices has laid them wide open to attack.

We have seen data sent in the clear, rather than via SSL, allowing an attacker to intercept communications sent from the device to the cloud-based service. We’ve seen easily hackable online user accounts, allowing the attacker to enumerate passwords using the forgotten password feature.

We’ve even seen websites that allow user account deletion without the need for authentication. Yet adoption continues apace and no one, it seems, has stopped to think who is ultimately responsible in the event of an attack orchestrated over the IoT.

DDoS attacks

The massive Distributed Denial of Service (DDoS) attacks carried out against Brian Krebs, OVH and Dyn last autumn served as a wake-up to call to an industry that continues to ignore warnings. Security researchers had long been predicting the potential for the computing resource of the IoT to be hijacked and used for harm.

In the case of the DDoS attacks, Mirai malware (originally developed to attack DVR devices) was used to enslave other devices via the dated and seldom used Telnet protocol. This resulted in a botnet battery capable of launching attacks that peaked at over 1Tbps.

The publication of the Mirai code has now reduced the threat of attacks using this vector (the proliferation of botnets that are now all seeking to use a finite resource has a self-limiting effect) but the incident has served to illuminate the difficulty of attribution and retribution.

Sloppy security

While Mirai and the attackers behind it (who, interestingly seem to have been DDoS Mitigation Service providers) were clearly to blame, the security mechanisms used by these devices also drew criticism. In fact, if you look at Mirai itself, it carried out perfectly legitimate actions to access the device. It was the use of the redundant Telnet protocol, and default passwords that were seen as a sloppy security practice.

Even in those cases where device passwords are routinely changed, it’s often possible to find these online. For instance, CCTV log-in credentials are often shared by installers, the long supply chains associated with the IoT are in themselves a weak spot enabling data leakage or device tampering.

So should manufacturers be held to account? IoT devices differ from their dumb counterparts in that they can be updated with Over-The-Air (OTA) updates from the manufacturer.

This can effectively extend the lifespan of the product but also means that responsibility for their product no longer simply extends to a twelve month warranty period. Instead, they’re facing a responsibility for securing each device for years, or at least until they decide to no longer support the device and declare it’s end-of-life.

The landscape changes. New vulnerabilities are exposed in protocols, frameworks and hardware all the time, so the manufacturer will have to patch the device itself by issuing an OTA update or if the integrity of the device itself is in danger, a product recall may be in order. That’s a costly undertaking but a product recall also has other implications. By announcing a recall, the manufacturer could be said to have legally accepted that their devices are part of the problem and this could see them open to litigation.

Angry mob

The potential for a manufacturer to be sued is increasingly likely due not least to consumer angst. Avoidance tactics such as those used by VTech which altered it’s T’s and C’s to try and avoid being held to account after a data breach a couple of years back have seen consumers begin to question the trust they place in manufacturers.

In the EU and in the US, consumer lobbyists are now taking on the toy industry, filing complaints to the relevant national authorities on what seems to be obvious breaches of several consumer laws including an abuse of privacy. Vivid Imaginations Toy Group’s My Friend Cayla interactive doll has a litany of issues including the ability for an attacker to easily intercept and join-in communications between a child and the toy. That means any random stranger within Bluetooth range of a child playing with their toy can interact with the child.

If such actions are successful they could well pave the way for lawsuits and this, in turn, will see manufacturers seeking recompense from their partners, such as software providers. If the developer has failed to observe tried and tested security best practice, there’s little doubt they too will be held to account.

But what about the communications layer? Could even network carriers be implicated? In the case of the Mirai attacks, is the manufacturer to blame for the malware taking out some Domain Name Servers? What about if such a botnet were to take out major social networks? Where do the device end and the network begin, particularly if the issue is with the protocol and not the IoT device as such?

Uncharted waters

Legally, we’re in uncharted waters and the authorities can’t draft legislation fast enough. In the UK, we’ve seen the Investigatory Powers Bill and the Digital Economy Bill. The former will compel all ISPs to keep a record of online activities and which services devices connect to, while the latter is paving the way for web blocking.

In addition, the General Data Protection Regulation due to be adopted in May 2018 will increase the powers of the individual to access data and file complaints. Across the pond, amendments to Rule 41, a statute that regulates search and seizure for the US Department of Justice, grants the authorities the power to seize computing equipment and user data. This is expected to see a clamp down on the use of anonymising software and will also empower the authorities to seize IoT equipment.

In light of these events, manufacturers may want to want to take another look at their cyber liability insurance policies. Do these cover an IoT compromise? How far does the policy extend? For now, I suspect claims relating to IoT and DDoS will be far beyond the capacity of today’s insurance markets and that leaves manufacturers facing a stark choice: address security issues now or be prepared for some potentially ruinous lawsuits further down the line.

The pressure from consumers and the authorities alike mean that the time is running out for IoT vendors. For too long there’s been a tendency to grab market share at any cost but there’s now a real impetus for the industry to self-regulate. Unless manufacturers step up and embrace standardisation we will see more of the types of attack launched back in September. Except for next time they might not harness IoT resource to attack a web provider, they might take down the critical national infrastructure or even wipe out the Internet of an entire country.

Written by Ken Munro, Partner, Pen Test Partners