Last week, Juniper Research predicted a twofold increase in the number of such devices by 2022 (
news ) in a study of the Internet of Things. If now analysts estimate the number of active IoT at 21 billion, then in four years their number will exceed 50 billion.
The same report states that we have not survived until the present, widespread introduction of IoT (in industry and business): now priority is given to more
blunt traditional solutions. The emergence of really large (one hundred thousand or more) IoT infrastructures will have to wait, but not for long. The report does not focus on security, but there is enough relevant news about it, for the second week in a row.
About the fact that IoT devices will be many and they will be unsafe, on June 22, the well-known cryptographer Bruce Schneier
spoke . In his opinion, we are about to move from attacks on personal data (when your personal information is stolen, or taken hostage, or erased all nafig) to attacks on the integrity of the infrastructure consisting of miniature devices, or its operation. In short, when a hacked car hits your brakes against your will.
The Juniper report introduces the interesting term of edge computing - this is when the calculations are performed wherever there is moving, and not somewhere in the vendor's data center. The amount of computation and data will make centralized processing more difficult. If you combine the positive Juniper and Schneier's skepticism, it turns out somehow not very: IoT will be more, they will be used in more responsible areas (industry, cars, medicine). And somehow they are not going to protect them more effectively: modern Consumer IoTs do not do well with this, in industrial ones it is no better.
Let's see what exactly was bad last week. The well-known manufacturer of IP cameras Foscam urges the owners of such devices to urgently update the firmware (
news ). Interestingly, the company’s statement does not indicate, as it usually happens, a list of models with a hole: all devices turned out to be vulnerable, or the vendor intentionally does not provide detailed information. Vdoo researchers, who discovered the vulnerability, have a
lot more detail .
And the vulnerabilities were found as many as three, and to hack the device, they must be applied sequentially. All that is required is the IP address of the device. Such devices are not always available directly from the Internet, but, as a rule, can be configured in this way. Quite often, this configuration is present by default.
The attack first exploits a buffer overflow vulnerability, leading to a crash of the process responsible for the web interface. After the crash, the process automatically reboots, and when it is loaded it becomes possible to delete an arbitrary file - this is vulnerability number two. Proper deletion of files in the right places allows you to bypass the authorization system, and this third vulnerability gives you complete control over the device. Not the most trivial attack, and the researchers say directly that they have not yet seen anyone using it. And since the calls to update the firmware usually no one responds, all three vulnerabilities are not described in detail.
And let's all get together now and update some home IoT. Let's? No, really!The same researchers from Vdoo found vulnerabilities in another manufacturer, Axis (
news ). The massive discovery of holes in IoT devices was the result of some kind of internal
clean-up action to detect them. Here, the result is the same: seven vulnerabilities were found in total, of which for a successful attack, three are needed.
Finding complex (relatively, but still) attacks is honorable, but it seems that the problem now is that there are
botnets from thousands of routers, cameras and other things with much more trivial problems like default passwords, a curved web interface and the complete absence of any protection. If Juniper Research is right and most industrial IoTs will be much more autonomous to solve in five years time, will they become even worse with their renewal than they are now?
And I want to assume that in the industrial IoT everything will be different, although in fact it
does not . I will assume that the only difference between industrial network devices is that they have a schedule and service protocol, and the people responsible for it. Spreading IoT is progress and cool. Business and society will benefit from this the faster, the cheaper it will cost including the safety of such devices. Detection of serious problems, including those that are not solved at all by software methods, and even after a large-scale implementation of devices, will always be expensive.
Offtopic. Memo for fans of screencasts on the Internet: turn off notifications before broadcasting.