Securing IoT Devices
The Irma of the Internet?
In the past few months hurricanes have taken an enormous toll on our Gulf States, with Harvey and Irma hammering Houston and parts of Florida.
What I found fascinating about the hurricanes was the wall-to-wall news coverage showing the possible tracks of the storms, their wind velocities, etc. As is now common in our “news is entertainment” world, the reporters breathlessly stated that this is the “biggest hurricane ever,” and “authorities are recommending that everyone evacuate.” So Mother Nature once again demonstrates that she’s in control and we’d better be prepared.
I see the equivalent of hurricane Irma coming to our industry with the massive installation of Internet of Things (IoT) devices. Already massive hacks have occurred, with more than one million IP cameras from the same manufacturer used to perform a 1-terabyte-per-second distributed denial of service (DDNS) attack on an Internet backbone DNS server system.
I equate the coming storm of IoT device hacks and attacks from a hurricane because everyone in the technology/IP industry knows that they are coming, just like Irma was tracking on CNN. A recent pull-out section in the Sept. 18 Wall Street Journal had many articles detailing the potential problems of hacked IoT devices. For example, one article speculates on the probability that some hacker will be able to take control of entire fleets of “smart” (Internet-connected) vehicles. So, suddenly every Hyundai or Chevy stops in the middle of the road, or they all take an immediate left turn — imagine the chaos.
The hacking of IoT devices is being accelerated by three factors, in my opinion: First, the prolific installation of DIY cameras/thermostats, etc. by people who aren’t thinking security and leave the device open to attack by not changing the default passwords. The second is the continuing drop in price for IP cameras and other IoT devices. Do you think that the software designers of a $50 camera spent a lot of time and effort “hardening” the devices against hackers?
The third factor is that for the past few years those in our industry have been installing IP devices and require the opening of software ports in the end-users’ firewalls and the programming of port forwarding in their routers to allow access to the connected devices from over the Internet. Open ports in firewalls and routers provide easy access for hackers to reach IoT devices and potentially take them over.
We need a better way to do things, and we need to think carefully about the products we are selling. In a perfect world we would not have to open firewall ports or do port forwarding, so we don’t have to touch our clients’ network hardware to connect devices.
Well the perfect world is here, at least for IP video cameras and encoders. Axis Communications has implemented its “Axis Video Hosted Service” (AVHS), which eliminates the need to perform port forwarding or firewall openings for specific Axis IP cameras and encoders. The IP cameras and encoders usually have SD or microSD card recording, so the clients’ video can be redundantly recorded.
One of the key features of the AVHS system is that the hosting service has the opportunity to “push” any needed software updates to connected devices without requiring a service call or depending on the end user to perform the updates. Any time a camera connects to the service, it will also automatically change the root password for increased security.
“IoT, cloud and cyber are general megatrends, which are also impacting the physical security market,” said Fredrik Nilsson, vice president of Americas for Axis Communications. “Implemented incorrectly, IoT devices connected to the cloud might increase cyber vulnerability for organizations.”
This is where our industry needs to go, and quickly. Manufacturers need to develop methods to push software updates to their devices without local human intervention. Axis is leading the way. Will other vendors follow?
You can see that the IoT hurricanes are coming. Are you installing products that will make them worse? As an industry we need to be the leaders in security, both physical and IP networking.