On February 23rd 2000, Vincent Cerf, one of the fathers of the Internet, stated, “Most of the [Internet] vulnerabilities arise from those who…do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.” The Internet was a very different place back in 2000, only 5% of the global population had access to it, and IoT, smart phones and broadband speeds were things of the distant future. But eighteen years later, this quote couldn’t be more urgent and relevant, when over half of the population relies on Internet connectivity and malicious actors do not rest. As new scenarios continue to emerge, it is imperative for all stakeholders to recognize and be prepared to execute their roles and responsibilities, including governments, service providers, device manufacturers and consumers.

Many recent, major breaches could have been reduced if fundamental principles of cyber hygiene had been followed, but human stupidity is always the weakest link, and consumer cyber hygiene remains a much-needed patch. Cyber hygiene practices include, but are not limited to, setting strong passwords, managing the network and performing security and software updates. Unfortunately, these seemingly simple practices are tedious and difficult to maintain for most, and are often overlooked by the latest, greatest security solutions that promise to keep us safe. Consequently, we are living in an era of Internet of Insecure Things. However, consumer cyber awareness and cyber hygiene can go a long-way to fixing the Internet, even creating the consumer confidence necessary to increase IoT adoption and reach its potential.

The private sector is best suited to the creation and maintenance of lightweight and simple solutions to facilitate cyber hygiene at home, but the government’s convening power to enforce standards is what will incentivize all stakeholders. We are happy to report that there are loud signals that this is already happening. Following an executive order signed in May of 2017 by US President Donald J. Trump to strengthen the cyber security of federal networks and critical infrastructure, a first draft has already been published recommending, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. Also, in November of 2017, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) began to actively seek proposals by technology vendors to provide an example solution to mitigate IoT-based DDoS attacks.

Consequently, service providers, router manufacturers, and technology vendors are now rushing to market with innovative products and solutions aimed at increasing consumer cyber hygiene. In a way, secure devices and services are a marketing opportunity for companies to differentiate themselves and add value in the Smart Home and IoT marketplace, because nobody wants their devices to be easily hacked. The Wi-Fi alliance is leading this industry trend by announcing that it will be rolling out WPA3 this year to set new security and privacy standards. We believe that cyber hygiene starts at home, but because it is impractical to hold consumers responsible if their devices are used in a botnet or if they’re not secure, we welcome the current industry trend to facilitate consumer cyber hygiene by designing devices with security in mind.

The average number of connected devices at home is increasing exponentially, and the IoT discussion should not be about gloom and doom, but rather about the massive opportunities afforded by this revolution.  Yes, there are risks, but they can be significantly mitigated by the application of proper cyber hygiene by each of us. For its part, Netonomy is joining this fight by providing a lightweight agent-based solution that can be deployed over-the-air and at scale to all home routers, including legacy, at a low cost. Our agent boosts the router –the gateway to all your devices, with Artificial Intelligence and Machine Learning to provide network visibility, security and management controls in an easy to use and friendly white-label app. Securing the Internet of Insecure Things will be no easy task and we all have a role to play.

 

Tune in every Wednesday for cyber hygiene tips you can implement in your network!

For this week’s podcast we had the honor of interviewing none other than Ted Harrington, executive partner at Independent Security Evaluators (ISE) – security researchers and consultants widely known for being the first company to hack the iPhone. Ted drives thought leadership initiatives at ISE and is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, he is also an`organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON.

We recommend you visit their website and check out their amazing “knowledge” center, full of great case studies, papers/publications, presentations and an updated blog. This interview is ~15 minutes, feel free to listen to it below or go ahead and read the edit. Enjoy!

Would you say you live in a connected home, with 9 or more connected devices?
I would say pretty much everybody does, because when you start talking about routers, laptops, smart phones, wearables…things of that nature, it all adds up pretty quickly. So even people that would not consider themselves to be in a smart home, would definitely qualify as living in a connected home.

What percentage of connected devices would you say are vulnerable to hacking, is it all of them?
One should never make generalizations about anything. But what we’ve seen through our security research and assessment practices, as well as the events that we’ve organized, is that security flaws really are systemic across the connected device industry. The data suggests that these security issues aren’t necessarily relegated to a particular device type -it’s not just that light bulbs are a problem, it’s basically all of the devices that we have been looking at through different channels. And we’ve also seen it across pretty much all of the manufacturers that we’ve looked at, from large enterprises to small startups that people haven’t heard of yet.

In brief, it would probably be irresponsible to say that all devices in the connected home are vulnerable. But the research has shown that, in the current market, many connected devices really do have some security challenges to them. The likelihood is high that one or more devices in a given home have some security vulnerabilities.

Why do you think this is the current situation?
I believe it’s primarily due to market forces. When you think about the evolution of any technology that is transformative, you see a similar trend.

In the first stage, someone innovates – the idea of making traditionally analogue devices to communicate, and spawns a movement. That creates the second stage, where there’s a rush to the market, and companies provide solutions because the marketplace is thirsty for the solution. So it’s truly driven by economic factors, because people want to buy these things, and companies will supply these things. That rush is so powerful right now that it is really omitting security in many cases as part of it. That’s not to say it’s true in all cases, and I do want to make that point really clear, there definitely are connected device companies taking security very seriously, doing a great job at it. But in the aggregate, most are really rushing to market without adequate security to supply solutions to satiate demand.

Do you expect this trend to continue?
I think it will get worse before it gets better. Eventually I think things will get better because of this progression that I was describing before, when transformative technologies are introduced. And there’s a third stage. The first stage is the innovation that creates an explosion that creates a marketplace, the second stage is the rush into the market where solutions are introduced and security is not a development priority, and the third stage (which is a very long stage) is where security experts eventually get their message hammered into the operating principles of the companies in these marketplaces, and they start to implement security. Overtime the marketplace overall gets to a place where it has a much better security posture.

However, that takes a really long time to happen. We are in a rocket ship of adaption right now, more and more companies and people are going to buy more and more connected devices, more and more different types of things are going to start having connectivity to them where they might previously not have had, and that’s going to lead to a very expanded attack surface. Meaning, there are just going to be more and more ways for attackers to attack whatever it is that they are trying to go after. And we’re going to have to go through that, unfortunately, before the marketplace really starts to shift. So it will get better, I hope, but it’s going to get worse before it gets better.

A great initiative by Independent Security Evaluators (ISE) to increase cyber awareness is the IoT Village event, could you tell us a bit about that?
Security research conferences have what’s known as a village concept, which basically focus on different topics to get security researchers focused on an issue. We’ve been working with DEFCON for a few years now to organize the IoT Village, and we take it beyond DEFCON to a number of conferences throughout the US, and are in discussions right now to bring it to a few places around the world (Tel-Aviv coming soon). What we do at IoT Village is to try and get together a number of security researchers and manufacturers and really collaborate on these security issues that we are seeing. We have security researchers come and present research that they are publishing, have contests where we buy a bunch of devices and we say: ok everyone, let’s hack away at these and lets find some vulnerabilities, and we’ll do contests of a more traditional Capture-the-Flag style. Basically what we are really doing is shining a spotlight on cybersecurity as an important topic in this tech domain, which is IoT. And then, of course, we work with our friends in the press and media to publish it so that we can hopefully be that catalyst for change to shorten the lifecycle from where we are today, to that future [3rd] stage where hopefully we’ll be in a more secure and resilient posture.

You also organize SOHOpelessly broken, were the focus is router security
Yes, SOHOpelessly broken was the first router hacking contest ever at DEFCON, and it actually spawned out of some router hacking research that we had done immediately prior to that. SOHOpelessly broken has grown in its scope to cover other connected devices, but its root is around router hacking. We have a paper that we published that’s available as a free download from our website and it analyzes the research that we did that was the impetus for SOHOpelessly broken. Basically, we looked at all of the major popular SOHO routers and tried to see whether they were vulnerable to remote and/or local attack, and we found that every single router that we looked at was vulnerable to at least one of the two. It was about 56 different security vulnerabilities across thirteen different router models. So SOHOpelessly broken is now getting a community of people to poke at routers and other devices, and it usually runs right alongside the IoT village.

What are some heuristics you would give to the average consumer when it comes to network security?

First and foremost: Change the default passwords.
When you get a router, either from your ISP or your own, it’s going to come with default credentials which are usually pretty basic – and even if they look complex, you want to change those passwords, because those default credentials are basically publically available information. All someone has to do us is a quick Google search and they can know based on a given model what the default credentials are. There’s a tool known as SHODAN, which is a search engine for connected devices, so an attacker can just research and find these devices online, and by knowing the default credentials, can start attempting to use those and in a huge percentage of cases they’ll be successful because people don’t change the default passwords.

That’s actually how the Mirai botnet was successful last fall, by exploiting the fact that people don’t really change default passwords. So first and foremost: change the default credentials, because it’s basically like not having a password if you don’t.

Next would be really thinking about the need for certain elements of connectivity. I do not mean to say that someone should not adapt these emerging solutions. I’m a huge advocate of were IoT is going, I want to have connectivity in all kinds of things. But when you are buying a device, it’s important to think if you are buying it for the purposes of its connectivity, because otherwise…that would be a case where you might want to think: do you need the connected version of this?

If you are not actually going to benefit from the connectivity, all that you are doing is introducing new ways to be attacked, without capturing any of the benefit.