The Ghost of IoT Yet to Come: The Internet of (Insecure) Things in 2017

Share and earn Cybytes
Facebook Twitter LinkedIn Email

I have endeavored in this ghostly little essay to raise the ghost of an idea which has been haunting me these last few months.

The latest Hype Cycle for Emerging Technologies tells us that IoT is short of the Peak of Inflated Expectations and five to ten years from the Plateau of Productivity. But already it presents some wonderful cautionary tales. They range from funny stories about spending 11 hours trying to boil water for tea to more alarming accounts, such as the record-breaking Distributed Denial of Service (DDoS) attack against reporter Brian Krebs’ website, a subsequent (and also record-breaking) attack on Dyn (a provider of DNS services infrastructure critical for the operation of the Internet) that brought down the Internet on the East Coast, and — still more recently — an attack on home DSL routers that knocked nearly a million German users offline. All of these attacks have something in common: vulnerable, Internet-connected devices that were exploited by the Mirai Botnet or its variants.

If the holiday product ads are any indication, we can assume that many Internet-connected devices will be unwrapped in the coming weeks. We can also safely assume that the software on these new gadgets won’t be any less vulnerable. This is the specter of IoT yet to come. This is what keeps me up at night.

To the cameras vulnerable to SQL injection, DVRs with unchangeable default passwords, hackable home security systems whose firmware cannot be upgraded, and routers whose configurations can be changed without authentication over a clear-text connection, I say: “I fear you more than any other specter.” The question is what is to be done?

With the looming threat of larger and more damaging attacks, we could embrace Neo-Luddism, giving up or actively destroying technology. This would neutralize the threat but this “solution” is as impractical as the prediction is unrealistic. Alternatively, one could make the equally unrealistic prediction that we’ll suddenly get better at writing code and all these vulnerabilities will magically disappear.

In the spirit of seasonal generosity, I offer “gifts” you can give yourself. Admittedly, they’re more in the vein of sensible shoes than flamboyant gestures like a giant UHD OLED flat screen TV. Some assembly is required, but they are durable and deliver long-lasting benefits.

Are you a product or program manager? Take your cue from Benjamin Franklin: “One line of preventative code is worth 100 lines of remedial code,” a conservative estimate but a good place to start. Security and security lifecycle must be part of your product design or minimum viable product (MVP). This may sound daunting, but it’s easier (and, better still, cheaper) than it sounds. Skeptical? John Overbaugh at has some great recommendations for SDLC on a Shoestring. In terms of cost, keep this in mind: a failed security audit in the verification stage of the product lifecycle that results in late-stage design and engineering changes is less expensive than having to redesign and reengineer a product after it has shipped.

Are you a developer or software engineer? Poorly implemented crypto is just as bad as no crypto. Do the Cryptopals Crypto Challenges. Use these eight exercises to refine your understanding of cryptography in software, including how to identify, exploit, and then avoid cryptographic weaknesses. Take a penetration testing course because it is a certainty that somebody’s Red Team will attack your software, so it might as well be yours. Like the Crypto Challenges, learning the ways that applications are attacked will teach you to avoid the most common mistakes and help you write better code.

Are you a network or security architect, engineer, or operator? It’s high time you started minding your MANRS. Yes, everyone tries to be on their best behavior during the holidays, but the Internet Society’s Mutually Agreed Norms for Routing Security provide a simple framework for keeping the “I” in IoT on its best behavior the whole year round. The MANRS recommendations outline four expected actions for participants, and everyone responsible for a network needs to be doing the second: preventing traffic with spoofed source IP addresses. The DDoS attacks we saw in 2016 could easily have been mitigated if traffic from spoofed addresses had been dropped closer to the Internet edge.

If you’re looking for a bigger undertaking, your New Year’s resolution should be to get serious about network segmentation. Vulnerable IoT devices provide an attack surface and pivot point for attacking other parts of your infrastructure. Network segmentation is not a trivial undertaking, but it’s your best tool for protecting your network from hackable IoT devices.

In the end, there is one prediction to proffer. As Scrooge observes, “Courses will foreshadow certain ends, to which — if persevered in — they must lead.” If we don’t start doing things differently, the IoT will become like the chains binding Marley and the other phantoms: “made link by link, and yard by yard; girded on of our own free will and of our own free will worn.”

Of course, Scrooge continues, “if the courses be departed from, the ends will change,” perhaps allowing the vast means of usefulness and all the good to which IoT is susceptible to become reality.

“Assure me that we yet may change these shadows you have shown me.”

James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot who cribs liberally from the work of Charles Dickens, as well as other authors, and who owns a kettle which is electric but has no Wi-Fi. He’s in the Twittersphere: @MOBLAgentP

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About MobileIron
The leader in security and management for mobile apps, documents, and devices, MobileIron's mission is to enable organizations around the world to embrace mobility as their primary IT platform in order to transform their businesses and increase their competitiveness. More than 15,000 companies rely on MobileIron’s scalable architecture, rapid innovation, and best practices for their mobile initiatives. Global companies, including 8 of the top 10 automotive manufacturers, 7 of the top 10 pharmaceutical companies, 5 of the top 10 banks, 5 of the top 10 law firms, and 4 of the top 10 retailers, rely on MobileIron for their Mobile First initiatives.
Promoted Content
MobileIron Cloud Security
The MobileIron Cloud service is MobileIron’s cloud-based solution for provisioning and managing users’ bring-your-own-device (BYOD) and corporate-owned personally enabled (COPE) mobile devices. MobileIron Cloud enables IT administrators to deploy and enforce corporate security policy, deploy and manage enterprise apps, and establish usage policies for apps and content. The MobileIron Cloud service implements numerous technical security controls designed to help secure and isolate enterprise data at rest and data in motion, and to ensure the user’s personal data remains private.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?