What Mikko Hypponen teaches us about IoT security

Mikko Hypponen

Yes, this is going to be another rant about the state of insecurity in the Internet of Things industry. But a good one.

Every once in awhile, I hear someone explain this most critical issue, which has been at the heart of so many security incidents in the past year, in a new, inspiring way. And I feel compelled to unpack and explain it for those who might have missed the important parts.

I had one of those moments of epiphany in this year’s TNW Conference, when Mikko Hypponen, the acclaimed cybersecurity expert from Finnish vendor F-Secure, delivered a speech titled “The Internet of Insecure Things.”

In the speech, Hypponen brushed upon some very interesting topics, including ransomware and IoT security. But there’s only so much you can pack into a 20-minute speech. Here are the key takeaways about IoT security.

The damage dealt by unpatched vulnerabilities

Hypponen started by making a reference to last month’s WannaCry outbreak, the ransomware virus that spread over hundreds of thousands of computers in the span of a few days. WannaCry exploited a vulnerability in the Windows operating system to spread like wildfire.

The vulnerability in question had already been patched months earlier by Microsoft. However, as the number of targeted computers show, a lot of users hadn’t bothered to update their systems.

How does this relate to IoT security? As Bruce Schneier explained in a congressional hearing last year, “Everything is now a computer.” An increasing number of devices that were previously all wires and mechanics now run rich operating systems like Windows and Linux, and more and more of them are becoming connected to the internet.

If these devices aren’t patched, they’ll just end up providing more targets to malicious hackers.

What makes ransomware a different threat?

“For years and years, criminals online have been making money by stealing information and selling that information to the highest bidder,” Hypponen said in his speech.

But for many types of data, the highest bidder are the owners themselves, Hypponen explained. For instance, who will be more inclined than yourself to win back access to your medical information, or an archive of family photos locked by a ransomware trojan?

So ransomware attackers simply sell the data back to their owners. What’s helping them monetize their attacks? Bitcoin, the cryptocurrency that emerged in 2009, which is orders of magnitude harder to trace than wire transfers. But this doesn’t mean bitcoin is bad, Hypponen reminded. “Bitcoin isn’t bad. Bitcoin is a tool. Just like cash isn’t bad.”

Hypponen also pointed out another difference that ransomware have when compared to other attacks. “WannaCry is really easy to spot,” Hypponen said, “because most malware don’t show themselves.”

He mentioned banking trojans and key loggers as examples, malwares that silently steal information without revealing themselves. Across corporations, the estimated time to discover security breaches is more than six months.

A stark example of silent attack is John Podesta’s email phishing scandal last year. He eventually learned of the hack when his emails started surfacing in Wikileaks, an episode that might have caused his boss Hillary Clinton her chance at becoming the first female president of the United States.

“But when you get hit by a ransom trojan, you get a ransom message,” Hypponen explained. “And we started seeing these ransom messages in different places.”

This is where IoT comes into play. Kiosk displays, fuel pumps, mall displays, ATMs, and a host of other devices were hit by the malware, and not all of them were desktop computers.

Ransomware and IoT

Hypponen then showed a computer in a car manufacturing line being stopped by ransomware. “When computers inside factories are stopped by ransomware trojans, indeed it gets very serious,” Hypponen explained.

Next he showed a train display at a Frankfurt train station hit by ransomware. While a non-functional display wouldn’t be a serious issue, Hypponen explained, “what would be much more serious would be that if the train control centers were hit by ransomware trojans.” Then disaster can strike.

I’ve elaborated on the criticality of IoT ransomware in the past, both here on TechTalks and also in a TechCrunch feature. As IoT moves the internet from information technology to operation technology, we’ll have much more than data and files at stake. You can’t just shrug off the damage when the consequences become lethal. Imagine the functionality of your smart thermostat being taken hostage by ransomware, or your car, or your pacemaker.

The IoT revolution is inevitable

“We’ve all lived through the internet revolution,” Hypponen said, a reference to the fact that (almost) all computers and smartphones (computer in our pockets, per Hypponen) are now connected to the internet. “The next revolution will be when everything else gets connected to the internet.

“And everything else will get connected to the internet,” he stressed. “If it uses power, it will go online.”

Some people don’t like the IoT and the idea of connecting anything and everything to the internet (and with good reason, in many cases). But it’s going to happen whether you like it or not, Hypponen said.

Why? First, the price for existing computing power is plummeting. “This means that eventually, the chip that you can embed into any appliance which turns it into an IoT appliance is going to cost nothing,” Hypponen said. So the benefits don’t have to be too large.

Second, the internet is disappearing. “Very quickly we will have internet everywhere on the planet and any device and any device can go online without the need for accounts or subscription or anything like that,” Hypponen said.

For a lot of our appliances, say like your toaster, internet connectivity would be nonsensical. Why are they going to go online anyway? They will be going online not to benefit you, the customer, the consumer, but the manufacturer, Hypponen explained. “Because the manufacturer wants to collect data. Data is the new oil.” Data gives companies analytics and insights into how their products are being used, where they are, how often they’re used, how often they fail.

“That’s valuable information,” Hypponen says. “Not very valuable, but more valuable than the price of the chip that they have to put in to turn it into a smart device.”

What’s the risk?

There are plenty of risks. “We are turning all our devices to computers, and computers have vulnerabilities,” Hypponen said, an echo of Schneier’s earlier thoughts.

First, programmers, the people who write the software that goes into those devices, are humans, and humans make mistakes. A vulnerability in the server software that runs on your dishwashing machine can become the beachhead for an attack against your network.

Second, the users are human too, with limited skills, memory and patience. “When users take IoT devices into use, they typically misconfigure them or don’t configure them at all, exposing admin interfaces on the public internet with default passwords,” Hypponen said.

For instance, the huge IoT botnet malware that made last year’s massive Dyn DDoS attack compromised devices were left in their factory default settings. As the results showed, there were tens of thousands of them available.

Most IoT devices are headless, which means they don’t have displays or graphical user interfaces, and they run autonomously without much interaction with the user. Users tend to install and forget them and don’t check on them often (when is the last time you checked the network log of your connected fridge?).

According to Hypponen, you can’t expect users to read the manual, change the passwords, segment their networks to avoid IoT device vulnerabilities spill into other devices in the domain, and do other things that only an IT security guy would do. Most users will prefer convenience over security.

Also, Hypponen points out, patches and updates are an issue with IoT devices. Appliances like fridges and washing machines have a long-life expectancy, ten to twenty years, much more than a computer. “But how long will it be getting patches?” Hypponen asked. “And how long will the cloud end be there and work?”

“If something is smart, it’s vulnerable,” Hypponen concluded. Smart phone, watch, car, city, they’re all vulnerable.

How do you protect your IoT devices

“While we have a billion new devices getting online, we can’t rely on the manufacturers alone, because most of the manufacturers aren’t doing [secure coding],” Hypponen said.

And we can’t defend IoT devices the same way we defend our computers, which is to install endpoint security solutions. “I work for an antivirus company. We will never be making an antivirus for toasters,” Hypponen quipped.

The only solution would be to secure your IoT devices from the network. There are now several smart firewall solutions available which use a number of techniques including signature- and behavior-based network analysis to find and block attacks against the devices in your network. F-Secure’s solution is called SENSE. It creates a secure WiFi network, a separate network for your IoT devices.

“We have plenty of problems ahead of us, and we need plenty of solutions,” Hypponen reminds the crowd at the TNW Conference.

Watch Hypponen’s full speech here:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.