[Update – February 15, 2017]
According to a post today on ZDnet, a team of researchers from Trend Micro revealed, at the RSA conference in San Francisco, that there are more than 178 million IoT devices visible to the Internet in the ten largest U.S. cities. Admittedly, the research focused on visibility, not vulnerability, but given what we already know about the latter, this is proof positive that the problem is growing rapidly.
[End Update – original post from 9-23-2016 follows]
Have you heard about Shodan? It’s the search engine for the “Internet of Things,” and it is simultaneously fascinating and terrifying. It was spotlighted in an article on Ars Technica a few months back which focused specifically on the number of unsecured Webcams the search engine has found – the latest count of Webcams in the U.S. for which Shodan has captured a screenshot is 101.
But that’s not all. You can search for industrial control systems, and drill down within the results to see the specific devices that run a particular manufacturer’s communication protocol. You can search for printers, refrigerators, TVs, wind farms, Minecraft servers, and wireless access points. You can search for devices that are running the VNC remote access protocol with authentication disabled. You can search for Roku video streaming devices that are directly on the Internet (2,113 in the United States at last count, and Roku doesn’t have any authentication on their API). You can discover that there are currently 8,760 LaserJet printers in the U.S. that are directly exposed to the Internet, and you can see their IP addresses and often a rough idea of where they’re located. In short, Shodan is a search engine that crawls the Web looking for devices that are directly connected to the Internet, not for information contained in Web pages.
So what’s the big deal? The big deal is that many of these devices either don’t require any authentication, or their default admin credentials have never been changed…and it isn’t difficult to find out what the default admin credentials – just about every manufacturer has on-line user documentation that will tell you. Now, having someone remotely reboot your Roku device while you’re in the middle of your favorite Netflix series may be annoying, but not particularly damaging. It’s a little scarier to think of someone being able to access a Webcam in your child’s bedroom or perhaps an external security camera at your home. But the stakes are even higher for other kinds of devices.
Universities are notorious for having printers that are directly exposed to the Internet. Many of them have large blocks of IP addresses that they’ve had for many years, so they just NAT the traffic through their firewalls so faculty members can send print jobs to them remotely. Unfortunately, if there’s no security, so can anyone else. This past May, a white supremacist sent anti-Semitic fliers to networked printers at several universities in California, Illinois, Massachusetts, Maryland, and New Jersey. Princeton was one of the universities affected.
In July of 2015, a pair of hackers demonstrated to Wired Magazine that they could not only remotely mess with the air conditioning, radio, and windshield wipers of a 2014 Jeep Cherokee, they could completely disable it. Now, a year later, they’ve announced that they’ve found ways to disable the steering, or even digitally turn the wheel themselves. To their credit, Chrysler has moved to tighten up security, and has launched a “bug bounty” program that offers as much as $2,500 to hackers who inform the company about vulnerabilities in their vehicles.
We’ll leave it to you to imagine the havoc that could be caused by a breach in a critical industrial control system.
As more and more devices get connected to the Internet of Things – smart TVs, refrigerators, thermostats, lighting systems, home security systems, etc. – the security risks will increase substantially if we’re not very, very careful about how systems are implemented. Some issues rest squarely on the manufacturers themselves – to patch security flaws as they’re discovered, and insure that there is a reasonable level of authentication required for administrative access. But one of the most important things we can do is also one of the easiest: change the damned default passwords on your Internet-connected devices. And then help your family and friends do the same thing.