Information Assurance has its pillars based in the 3 main tenants of C.I.A – Confidentiality, Integrity and Accessible. Information is power in todays modern world, and in order for it to maintain potency its confidentiality to only those with proper authorization, its integrity when transmitted and utilized must be maintained, and it must be accessible for use. There is a balance between these three areas that must be maintained by the owners of data and the security professionals that they pay to protect this data. In recent years however, much more personal data has been kept by individuals without the resources of larger companies in electronic format. This information is stored on personal computers in the home, more often than not connected to personal network that is connected to the internet thereby putting individual information at risk. More often than not individual home networks are often set up with a weak password or no password at all due to the lack of knowledge of the individual on not only the threats they face, but the available technologies and how to properly set them up. More experienced users secure via encryption, firewalls and a preselected password when the individual router is set up, often with host based anti-malware, anti-virus, firewalls and even IDS software. Even with all this protection, more recent technologies have added non-traditional devices to the modern home network in an attempt to create Smart Homes, which have introduced a suite of new vulnerabilities to home networks that many users and companies need to consider and take steps to mitigate the vulnerabilities.
Smart homes take advantage of multiple radio signals (z-wave, blue tooth, Wi-Fi), connect multiple devices to the home network, either directly or through the use of a proprietary hub, and often support multiple third party add on hardware to the connection. Devices being utilized currently range from unobtrusive objects such as doorbells and light switches to security systems (cameras, panels, physical locks, shades) and even major appliances including refrigerators and ovens. As this is a market in its infancy and it is highly competitive, several companies have rushed their products to market. For many of these products they offer easy convenient set up in addition to their functionality, and the fact that many of these devices are connected to secure networks was over looked by both the companies in question and the consumers making the purchases. This opens up new connections to the hosting network that are not always secured because they are actively behind the firewall but utilize a second radio signal as they are connected to the network via Wi-Fi, but are also broadcasting a secondary signal such as Bluetooth and Z-wave and are often located physically outside of the home. The applications that connect to these smart devices for set up and remote control also create new vulnerabilities. Several examples over the past year have lead to potential or actual invasions of privacy of the individual consumer.
One example of devices that are not normally thought of as potential liabilities to the security of a network are iKettles- kettles that pre-boil water and than tweet to their owners that the water is ready. Recently Pen Test Partners showed that an iKettle is capable of delivering a network password in plain text to an attacker through the use of a directional antennae and two simple commands. In addition to that, the android and iOS apps that are utilized for set up store this password, but the passwords to access the persons accounts on the apps which store network SSID as well as passwords, are also vulnerable due to the app containing poor security functions as well- the android app only utilizes default passwords, and the iOS app sets six digit codes that take little time to crack utilizing todays readily available computing power. This is an excellent example of poor secure software development practices leading to new vulnerabilities for a network.
Another problem recently arose with a popular IoT device called Ring- a Wi-Fi connected device that allows for video and two-way communication to whoever is standing at your door. Once again Pen Test Partners discovered a vulnerability that allows a malicious attacker to readily receive a plain text version of the connected password- simply detach the doorbell from the outside of a home, turn the unit to access point and utilize a mobile device to access the URL that stores the module’s configuration file including SSID and password, allowing for direct network access at a later date with little evidence of the breach. Both of these examples show that companies, in their rush to get their products to market, have ignored Secure Software Development Life Cycle (SSDLC) procedures or utilized inadequate ones allowing for vulnerabilities to be put in the market place. In the case of Ring, both the hardware and software configurations exhibited little thought to secure development to a device whose main selling point is connection to a private network. However even with SSDLC procedures in place, the producers of these technologies must add in mandatory security procedures in order to help protect consumers that lack the education into proper security procedures.
Other threats from IoT devices come from lack of user education or knowledge of proper security procedures. These include things as simple as changing the factory password or even setting up a password. The result of the use stock passwords supplied by factory means that anyone that owns or has gotten their hands on the instructions will have access to a connected section of an otherwise protected network. An excellent example of this is a Russian streaming website which, at last count, utilized unsecure streams of private internet connected security camera’s and baby monitors of 73,000 individuals and companies. The website claims that this is to show the importance of properly securing IoT devices. Motivations aside, it does provide the need for companies to put some mandatory functions into the software of their connected devices for the safety of their consumers. This may include mandatory password changes, lengths, and complexity, as well as secure, encrypted storage of this input data at the most basic level. Basic things such as a brief introduction to the consumer on the importance of password safety when starting the software would help as well. However, this once again points the the C.I.A that affects the usefulness of all data.
Companies must find the balance between maintaining the confidentiality and integrity of their customer’s personnel network security with making their devices as available as possible to their customers, both current and potential, in order to make the connections they supply useful and worthwhile. Security of these devices can not be ignored- although they may store no personal data, they are often connected to the same network that has devices that store the data or may stream audio or video to invade privacy. This is a huge liability to the companies, and could result in a huge loss of consumer trust when breaches occur whether there is a legal liability or not. Another problem is the lack of sustainability – although security is increasing in these devices, often times many companies are not updating their code and pushing it to purchased devices, decreasing their reliability and security. Companies producing any device that connects to the internet either through a direct connection or connection to a private network, must consider not only SSDLC when creating software components, but also their making sure that their customers are either educated in creating a secure environment or forced through mandatory password changes upon set up with minimum qualifications and regular background updates to component software to keep device security updated against new and rising threats and keep their customers networks safe.