The Internet of Things is exactly as bad a security nightmare as pessimists think it is, according to Bitdefender's Bogdan Botezatu.
The senior threat analyst at the Romanian security software company called by to chat to Vulture South while in Australia (we were, I suspect, meant to discuss the company's 2017 launches, but conversation digressed from the start, and there's plenty of time between now and the end of the year).
Experts have long been following the persistent awfulness of “SOHOpeless” broadband routers, but Botezatu says they've already been overtaken by the awfulness of other things. “We get a lot of telemetry in our vulnerability assessment labs,” he said. “The router is no longer the worst device on the Internet. It's now the printer.”
That's a pretty big claim to make, given that in in less than a month, we've discussed the no-we-won't-fix-it Inteno router from Sweden and the record-setting Chinese surveillance router.
Botezatu himself has been horrified by routers acting as “smart home gateways”: for example last year, he tested one such device, and was pleased at its default security posture, but there was one problem.
“It allowed unauthenticated downgrades to the firmware,” he said. “So it doesn't matter that it looks secure.” But the printers still win out: many, he said (without identifying the guilty party), offer public shares that are visible to the Internet (because lots of home users also leave their routers too close to default configuration).
Creating a power point that's “smart” and exposed to the Internet – like this one – is just stupid, because there'll never be sufficient security that someone's home ventilation machine can't be switched off by an attacker, Botezatu told Vulture South; a coffee-pot is an invitation to disaster, and “a smart electric oven should be just illegal”, he said.
There's a huge expectation gap between how ordinary people think of their whitegoods, and what happens when the Internet of Things invades them. “We expect appliances to have a long lifetime, but vendors won't support them with updates forever,” he said. Once the world gets to the point where there's no “dumb” option for a refrigerator or washing machine, consumers will be in a squeeze.
Either they'll be force-marched into buying a new refrigerator/washer/dryer/microwave because the software is end-of-life; or they'll be stuck with a product that's vulnerable to attackers. “There's always an attack surface”, he said. “The Internet of Things overcomplicates things massively.
“How do you patch things that have no user interface?”
Certainly not by any kind of vendor push-process – because that means vendors will hold credentials of some kind, and we know that golden keys inevitably leak somehow. There's a (euphemistic) shedload of IoT vulnerabilities already, Botezatu said: “It's scary, it's complicated, and it's potentially lethal.”
In a world where very simple social engineering spam still works to drop ransomware, he said, layering of security is still the best defence – signature detection, followed by heuristics, followed by behavioural analysis. But the last layer, Botezatu fears, always seems to be “luck”: and in a world where a vulnerability could be a vector to burning down a house, that's just not good enough.
110 Reykjavik, Iceland