For the first time, one of the largest cyber security conferences in the ASEAN region, the Singapore Internet CyberSecurity Week (SICW), had a track devoted just to the Internet of Things. One highlighted session at the track was an invitation-only panel of IoT security specialists. There was so much interest, the session lasted for hours, and everyone left exhausted.
Groups of city planners for the Smart Nation initiatives in Asia attended my own talk that is the presentation version of this blog series on Threat Modeling the Internet of Things. Recall that the three steps of threat modeling are laid out in episodes 1, 2 and 3:
1. Catalog your assets at play
2. Identify threats to those assets
3. Score the threats
The common denominator, and most urgent high priority threat for nearly all consumer-level IoT devices is the same: weak authentication.
A researcher friend of mine, who would like to remain nameless, says, “the Internet of Things is an infrastructure built of piles upon piles of weak auth.” He’s been monitoring thousands of IoT devices for over a year and during that time, the percentage that use default passwords has remained unchanged at over 60%. That’s crazy! Other estimates range from 15% to 50%.
The United States senate is trying to address the situation with The Internet of Things (IoT) Cybersecurity Improvement Act of 2017. Many security professionals (myself included) consider it a surprisingly good bill, which may become the template for similar legislation around the world. One of three key requirements of the bill prevents the federal government from spending any of its $85 billion IT budget on IoT devices that use default passwords.
Manufacturers are currently experimenting with several possible methods to avoid default passwords, some of which have been tried in the home router market which experienced the same security problems in the 2000s. Let’s look at three of the common methods.
MAC Address as Password
Some manufacturers set the default password to the MAC address of the device’s interface. Security researchers have decried this method because, obviously, the MAC address is visible to anyone on the local network, and therefore can’t really be considered secure. However, the vast majority of thingbots out there are built from scanners halfway around the world and they can’t see the MAC address. This method is at least better than default passwords.
Forced Password Change
Another way of avoiding default passwords is to force the device owner to change the password when they configure the device. Again, this is better than default passwords, but consumers are terrible at picking passwords. The list of top chosen passwords is barely larger than the IoT default password list.
The strongest method has the manufacturer create individual (and unique) passwords for each device. It is the most secure method, but also the costliest to the manufacturer. And yet, this method also suffers from the same problem as the first two; scale.
Thousands of IoT devices are deployed at scale for large projects. Think of Fortune 500 headquarters or a subcontractor deploying them to a new shopping mall. The Changi airport in Singapore has over 10,000 IoT video cameras. Imagine managing the 10,000 unique passwords associated with each device. Some solutions to the problem of password management exist, (Privileged Account Management, for example), but not all devices can be managed like that yet. Granted, if you’ve generated unique passwords for each device and you’re struggling to manage them, good for you, at least you’re trying.
IoT Thinking Outside the Box
One possible outside-the-box solution was mentioned at the SICW conference: the embryonic Named Data Networking (NDN) project. NDN is designed for networks like the Internet of Things; it makes allowances for low-power (mobile), low-bandwidth (cheap), and low-compute (stupid) devices. It binds the security of the network to a cryptographic naming scheme that functions as a management plane and access control at the same time. And doesn’t require passwords.
NDN is so different from the standard Internet Protocol, it’s hard to predict if it’s really going to be workable in the Internet of Things we have today. If we’re looking at over 50 billion IoT devices by 2025, then maybe it’s not a bad idea to give all these devices their own security substructure that is different from the one that manages the people (or, at least, our laptops and mobiles).
But getting back to threat modeling the Internet of Things. Your IoT project, should you have one, must consider the default password problem to be among the highest priority. The mitigations for default passwords are easy to manage on an individual basis but become difficult at scale. Take scalability into consideration, too.