Once viewed as science fiction, devices such as smart doorbells not only exist, but are relatively commonplace. Unfortunately, the software and chipsets that make these devices “smart” has also made them a target for cyberattacks and, as you might have seen in the news recently, Ring doorbells and cameras are the latest in a long list of IoT devices compromised by attackers. More than 3,000 Ring accounts have had their credentials compromised, resulting in a number of highly publicized incidents. In one case, a hacker accessed a Ring camera in a young girl’s bedroom and told her to direct racial slurs toward her mother and generally misbehave.
Although terrifying, this is not the only major incident reported. Ring users have reported other incidents, such as hackers taunting them through their cameras, which has led to a class-action lawsuit being filed in California. Ring issued a statement insisting that their systems were not breached, and that the problem was due to outside systems being compromised. The statement indicated that the credentials used to “hack” the devices were in fact duplicate credentials that had been obtained from a separate, non-Ring service and used to access the accounts in question.
What happened and why
Attacks similar to those targeting Ring devices are known as “credential stuffing” attacks. When a user’s account information is compromised in a data breach, those stolen credentials might find their way into the hands of malicious actors who will attempt to “stuff” them into other systems. Due to the frequency with which individuals reuse passwords and other login information, a hacker with a large set of stolen credentials to work with will invariably find a number of accounts that they can breach.
Ring’s advice is sound: frequently changing passwords and using two-factor authentication are smart steps to take. That being said, the statement implies that the hacks are solely the result of user error, which obscures Ring’s own responsibility for device security. Manufacturers such as Ring can and should build additional security into their devices, particularly as this is not the first time the company has popped up in the news for an incident such as this. Ring has made headlines for issues ranging from leaking Wi-Fi credentials to users remaining logged into a device even after the password changed.
This most recent breach also demonstrates a failure to learn from the mistakes that led to the Mirai Botnet, the most famous example of malware that took advantage of weak IoT credentials. The botnet, which used default passwords to access a variety of IoT devices, clearly demonstrated the danger posed by static credentials. Use of static credentials places undue burden on device users and are increasingly inadequate when today’s advanced authentication technologies would inherently prevent such hacks.
Repairing the damage
Ring might be the company in the news right now, but it is hardly alone in its need for stronger security measures. The early days of IoT are over, and the technology is now being adopted en masse. As it becomes increasingly widespread, IoT demands more tailored security solutions. The weak or nonexistent security that accompanied IoT devices in the past is no longer acceptable in the marketplace, and the vulnerabilities that these very public hacks have revealed have damaged consumer confidence. It is incumbent upon the makers of these devices to restore that confidence.
External regulations are beginning to come into play in that regard. The European Union and the state of California have each taken a strong stand on the issue of IoT security, enacting legislation that requires additional protections for connected devices, and other governmental bodies are following in their footsteps. Government bodies such as the FDA have also begun to step in, implementing regulations and guidelines of their own. Security is already a must-have for market acceptance, but it will soon become a necessity for basic compliance across many jurisdictions.
The future of device security
There are a number of steps that manufacturers can take to prevent breaches similar to the one that affected Ring. Requiring multi-factor authentication and using certificate-based authentication for devices are two major steps in the right direction. Simple measures such as these can go a long way toward preventing breaches — even those typically caused by human error — and demonstrate that the manufacturer is taking security seriously.
In addition to protecting the device from attacks, security means protecting the integrity of the device and enabling device identity, so that encrypted communication over the internet can commence safely. There are many ways to accomplish these goals, including:
- Device Identity Certificates: Digital certificates added during the manufacturing process ensure that the devices are authenticated when they are installed on a network before communicating with other devices on that network.
- Secure Boot: Ensures that a device has not been tampered with between the initial “power on” and application execution. Developers can also use it to securely code sign boot loaders, operating systems, application code, microkernels and data.
- Embedded Firewalls: Embedded firewalls prevent communication with unauthorized devices in addition to blocking potentially malicious messages.
- Hardware Roots of Trust: For devices that handle particularly sensitive information, such as medical devices, manufacturers should consider using a trusted platform module or an embedded secure element for secure key storage and to establish a hardware Roots of Trust.
- Secure Remote Updates: Secure remote updates ensure that components are not modified and are authenticated modules from the manufacturer. Validating that device firmware has not been modified before installing it is a critical security element.
Safeguarding devices and data from cyberattacks is an ongoing challenge, and no solution will ever be perfect. It’s a constant tug-of-war between attackers and defenders as they each strive to stay one step ahead of the other. Hackers are always devising new methods of attack, even as cybersecurity teams develop new ways to stop them. Staying abreast of new attack vectors, ensuring compliance with new regulations and accepted best practices, and building security into new devices from the start, will provide the strongest possible defense against future cyberattacks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.