Why security in the Internet of Things is suffering from rather basic device misconfiguration

This is the 1st blog post of a series following up the next weeks, to discuss the main pain points in Internet of Things Security and what we can do to sove them.

2016 the Mirai Botnet was shacking the global security industries. It was an awake, that some kiddies could create one of the most powerful botnet in history, by only checking 61 passwords on a port scan of popular Internet of Things devices as IP cameras. With a couple of days Mira took control over 500.000 devices and connected them to a massive DDoS as a service Zombie army.

The rest is history.

But what is still remarkable: the main vulnerabilities of Mirai success still exist. Shodan’s statistics shows that too many IoT devices are operated with open ports: ready to be scanned and pen tested by automated botnet crawlers. It will be an easy step to cure the IoT from vulnerabilities by closing unneeded ports and changing passwords from default factory setting to unique.

But why this is not happening? There are two issues: convenience and knowledge. Many users are used to “plug and play”, which leads into connected devices operated in standard manufacturing settings. Furthermore, there is less knowledge on the potential threads – and less knowledge on how to change devices to a unique and safe configuration. This is leading into a continuous stream of unsecured IoT devices, ready to serve as Zombies for Botnet armies.

The source of the cure is quite simple: changing device settings to safe operations. But executing this is not easy. Of course, we need to train and educate people towards IT security. Not to make everyone to a security expert, but to raise awareness. This is a long-term goal, which needed to be implement into the blueprint of future connected society. But what can we achieve on short term and mid-term? First, we need to implement responsibility and liability into Internet of Things industries. Products needed to be created by principles of security and privacy by design. For plug and play products this means, that they are forcing costumers on secure configuration on their initial setup process. It also means that these products are designed to receive continuous updated to keep them stable and safe during lifetime – that’s the mission we work on asvin.io.