Sophos advises companies to tread carefully with IoT
By Chong Jinn Xiung August 9, 2017
- Sophos researcher finds that many IoT devices pose security risks
- Lack of regulation and use of outdated operating systems are root of problems
THE Internet of Things (IoT) promises to deliver a world that is truly connected, where computing devices are embedded in everyday objects and are connected to the Internet, opening endless possibilities.
Everything from light bulbs, thermostats, fridges, fans would be connected to a network that you can control from your smartphone. That all sounds pretty neat but the problem is that at present most IoT devices are extremely vulnerable.
DNA spoke to security software company Sophos’ principal research scientist Chester Wisniewski (pic) on what he thought of Internet of Things (IoT) devices that are in the market today he had one response.
“Don’t buy IoT devices,” he strongly advised, “as they end up becoming a big problem as many have serious security flaws.”
He explained that the problem is there is no real certification for IoT devices as any device manufacturer can make them.
Often times they need an operating system to be installed on the device and they would opt to install a free outdated version of Linux operating system that is completely insecure and immediately sell it.
In most cases, IoT devices cannot be patched be it smart light bulbs, door locks, webcams or even children’s toys, as the device manufacturer may not be in the same country or may have gone out of business, nobody knows for sure.
Wisniewski painted a frightening scenario that could happen where a single hacker, who has gained access to popular smart thermostats or air conditioners and turn them all ‘on’ at once. The massive power draw caused by the devices could potentially hit the power grid and knock an entire country off electricity for weeks.
While nothing as major as that has happened but when the Mirai malware was used to turn webcams and other devices into massive botnets that were used to launch attacks that crippled major sites like Twitter, Paypal and Netflix.
Sophos has noted in its 2017 malware forecast report that attackers are expanding their efforts to target IoT devices through vulnerabilities in Linux.
Finding a solution to the problem
Still, it is not all doom and gloom. Wisniewski has some ideas how companies can potentially solve this problem.
The first is voluntary certification, where device manufacturers can volunteer to fix software and provide patch updates over a number of years in order to earn the right to place a security certification label on the package to denote that they are a trusted vendor.
Hopefully, with this classification, it would help consumers make an informed decision on the IoT device that they are purchasing.
The second way would be to reinforce strict product liability whereby companies can be sued if their products are not up to mark.
“Nobody in their right mind wants to build an unsafe product so there needs to be an incentive for companies to ensure a certain level of quality in their products,” he said.
He is of the opinion that device manufacturers should be held to the same standard as industries like the automotive industry. He cited the example that if a car manufacturer had faulty air bags, they would be compelled to take the responsible step by immediately recall affected vehicles.
Wisniewski even suggested providing device manufacturers with a “safe” free alternate version of Linux that reduces vulnerabilities instead of downloading free versions from the Internet. The idea behind this is to make doing the right thing economical and easy for device manufacturers.
“As IoT devices are marketed towards the mass market, consumer products there is an inherent need to hold manufacturers responsible. With any luck we can make a big improvement to the state of IoT,” he said.