History repeating: How the IoT is failing to learn the security lessons of the past

The massive cyberattacks which took down some of the most popular websites on the internet show that device manufacturers are not learning from the mistakes of the past.
Written by Danny Palmer, Senior Writer

A report examining the potential cybersecurity holes within an emerging connected technology notes that it's "slowly becoming more popular but the security built into the specification is a cause for concern".

Furthermore, the document details how the technology contains security risks including "loss of confidentiality", which can stem from, among other things, "default configuration" and "person-in-the-middle" and "DoS [Denial of Service] attacks".

It might sound like the recent warnings about the cybersecurity concerns facing the Internet of Things, but the text is in fact from a paper entitled 'Bluetooth and Its Inherent Security Issues', which was published 14 years ago.

As Bluetooth developed, so its security improved -- but the recent security problems with Internet of Things suggests that the same issues have to be dealt with all over again. When it comes to tech security, we seem doomed to witness history repeating itself -- over and over again.

"It's almost like we've learned nothing from Bluetooth" says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

Unfortunately, this pattern has transferred to Internet of Things devices. While the product builders might have a cavalier attitude towards ensuring their shiny new devices are protected from hacking and cyberattacks, cybersecurity professionals are looking on in disbelief.

"Seeing what these IoT vendors are doing, it just blows me away because they haven't learned from history," says Steve Manzuik, director of security research at Duo Security's Duo Labs. "They've completely ignored everything that's ever had bad vulnerabilities".

Just look towards the massive cyberattack attack again against Dyn, the domain name system provider for hundreds of major websites, whick left many unable to access services including Twitter, Reddit, Spotify, and the PlayStation Network last week. The large scale DDoS attack was designed to overload systems and prevent people accessing their chosen services -- and it's thought that the Mirai Internet of Things botnet was behind the whole thing.

Internet of Things devices such as web servers, routers, modems, network attached storage (NAS) devices, CCTV systems, and industrial control systems can all be recruited into botnets for the purpose of carrying out DDoS attacks.

Add to that services like Shodan, which allow anyone to search for IoT devices around the world. Many of those devices will still be using default login credentials -- if they have passwords in the first place. Taking all these factors together, it's obvious there's a massive problem with malicious actors being able to easily recruit large swathes of devices into botnets, which they can turn against the targets of their choice.

But security doesn't even seem to be a consideration for many connected device manufacturers, to such an extent that old vulnerabilities are reappearing. "We're in the realm of the security issues we were dealing with for Windows 98 and Windows XP, like plain text credentials," says James Lyne, global head of security research at Sophos.

Because security is so poor in IoT devices, finding vulnerabilities is like "shooting fish in a barrel", says Duo Security's Manzuik. "They're easy to find and they're easy to exploit. It's like we're just repeating the late '90s and early '00s all over again with those devices."

It's not that those building devices are just poorly implementing security, they're just not even considering it as part of the design of whatever IoT products they're building. "Most of these companies aren't trying. It's not that we're talking about high-end exploits that are a by-product of writing code. It's that they aren't building security any way into that process," says Sophos's Lyne.

Why are lessons from the past being ignored? It's simple. Companies just want to get their devices out to the public as quickly as possible, and at the cheapest cost to manufacture. Building in security takes time, effort, and -- perhaps most importantly for some -- money, so security is ignored in order to get a product out to market for a low price and before the market gets saturated with similar products.

"IoT products will have vulnerabilities because vendors want to get these devices out the door and for people to use them, and sometimes it flies in the face of security," says Malwarebytes's Dolly.

The second problem is that Internet of Things devices represent a relatively new space. It's only gone mainstream in the last two years or so, and thus the sector is filling up with organisations producing anything from connected kitchen appliances to interactive pet feeders to home assistants. In the rush to do so, carelessness, inexperience, or negligence can mean these young companies neglect security.

"A lot of these IoT companies are startups, so I don't think they even realise until it's too late, when they get the security report from the researcher or someone posting about their vulnerabilities on Twitter, that it's something they need to do," says Manzuik.

It would only take a little bit of effort to boost the inherent cybersecurity of IoT devices.

"It doesn't take a lot of work to prevent command injection attacks. It doesn't take a lot of work to encrypt your secrets, and there are very standardized libraries that let you do that well," says Lyne, who laments how he'd love to be in the position of dealing with "fascinating high-end zero-day exploits" but is instead "dealing with the password being 'admin'".

If stringent security regulations were applied to all Internet of Things devices, companies producing them would likely be quick to alter how they build their products.

"We're going to get many more examples of vendors being held up as negligent because so many security flaws are in the camp of 'didn't even try', not 'high-end interesting bug'", says Lyne.

"Something bad is going to happen and that's going to make government step in with regulations," says Manzuik.

Read more on cybersecurity and the Internet of Things

Editorial standards