We've had nothing but bad news regarding IoT cybersecurity these days. Mirai's been putting together unprecidented denial-of-service attacks which seem like they're doing nothing if not getting bigger. You have folks like cybersecurity demi-god Bruce Schneier proposing widespread government regulation as the only solution to the problem, too. Things don't look good, and they don't look like they're getting better any time soon.
So why did things get this bad?
Let's be honest. The central problem is that these devices have been poorly designed. I mean, we know how to harden Linux systems. We've been doing it for years. And we know that bugs exist in old kernels, too. But many of these devices have known services running on known ports with known exploitable flaws. Mirai took advantage of this, using known services (e.g. telnet) with known credentials, and just logged into remote, Internet-connected IoT devices.
Really, it's just ridiculous. You don't design systems like this. You remove all the stuff you're not using, you turn off services like telnet, and if you need to keep an SSH port open, you use strong credentials. Yes, these devices are manufactured at scale, so everything needs to be automated, but we do this with consumer-grade routers, switches, and wireless access points today. In fact, many of the companies who are creating IoT devices do this today with this kind of networking equipment, so we know they know how to do it. So why didn't they?
I think there are a couple of reasons. First, the cost of IoT devices, and associated profit margins, are really small. You make money in IoT at scale. Second, initial IoT deployments were small scale, with a very small group of engineers involved with the device operation system design. And these lead to the real problem — insufficiently hardened embedded Linux images running on these small, low-profile devices.
IoT devices are cheap. I mean an order of magnitude cheaper than consumer networking equipment. What's a typical wireless access point cost today? About $150? $200? A TP-Link smart plug runs about $25. It runs a Linux kernel with a full operating system and filesystem, too. The profit margin on a smart plug is correspondingly smaller as well, leading to large up-front development expenses carrying lots of risk. This leads to pressure to keep costs as low as possible, which, in turn, contributes to the second problem, small engineering teams.
In small teams (or teams that consist of a single engineer), it's really easy to cut corners. To meet arbitrary deadlines. To get out early on Friday. Because something isn't working quite right, and you can't figure out why. There are tons of reasons, but the end result is things aren't done correctly.
Just like lots of IoT software that's out there today.
So what are the solutions? Well, to start with, this is a perfect place for open source contributions. Companies in IoT are selling devices, not software. The software is really ancillary, though necessary. I mean, nobody cares what the firmware for their remote internet camera is based on, right? If companies come together and standardize on common approaches and share development via strategic open source licensing, everybody would benefit. Things like BuildRoot are a great start for this. Engineers need to assume responsibility for the security of their devices too. I know, everybody is focused on functionality, that's what people buy after all, but releasing insecure software is negligent engineering. Finally, some kind of certification standard wouldn't hurt either. If manufacturers submitted their devices to some kind of independent third party for validation and verification, everybody, including the manufacturers, would benefit.
Nobody wants governments to be forced to regulate IoT. Not governments, not industry. But unless we get our act together, that's where we're headed.