A very dangerous lack of attention to detail seems to be prevalent among Internet of Things (IoT) consumer products. Since their inception, the amount of vulnerabilities in these devices has far outweighed the conveniences they provide. Despite this known fact, companies continue to produce devices that use advanced forms of network architecture to circumvent what would otherwise be considered best practices, and in some cases, common sense.
When a company is designing a product, there are many factors that are considered, but the largest is arguably cost over quality. With numbers being the bottom line and not a quality product, there is a high likelihood that a cost related oversight could lead to a software-based vulnerability. It costs money to hire people to test and attempt to break your product, and in some cases, the decision is made to overlook the potential for security flaws in your product. In the past, safety was focused on children swallowing small parts or toxic materials being used. In 2017, safety concerns now extend into the cybersecurity realm, and many companies find themselves utterly ill-equipped to deal with these obstacles.
Looking at several examples, the question raised in my own mind is, “Who thought this was acceptable or OK?” In the case of a toy company selling one of the oldest known toys, the company Spiral Toys created a cloud-based stuffed animal line called CloudPets. The toy allowed recorded voicemails to be sent back and forth between the toy owner and, presumably, family members. These voicemails were stored in unsecured MongoDB databases, which in early 2017 were targeted by ransomware makers, and Spiral Toys was one of the victims as their database lacked any security at all, including even a basic password or firewall rules. Was this a simple one-time oversight? Unfortunately, no. Spiral Toys was informed four times that customer data was vulnerable online. Evidence also showed that Spiral Toys data was stolen multiple times. The company has not updated its blog since 2015, customers are able to check to see if they’re vulnerable at haveibeenpwned.com/.
It’s easy to write off what happened to Spiral Toys as a result of a lack of resources. But even large companies still deal with major design flaws affecting their customer base. The popular networking equipment manufacturer Cisco found out that the CIA had a zero-day exploit that affected more than 300 switch models after WikiLeaks had published the Vault 7 leaks. The zero-day in IOS and IOS XE occurs in the Cluster Management Protocol. When exploited, unauthenticated remote attackers can cause a reboot of the affected device, remotely execute malicious code on the device with elevated privileges, and other control based attacks. For more information related to this vulnerability, please see CVE-2017-3881.
The only thing worse than having a known product vulnerability within your own organization is having a known vulnerability with an outside or third-party entity. Google has recently made the decision to distrust SSL certificates issued by the company Symantec. Symantec, most famous for its Norton antivirus software, was found to have improperly issued over 30,000 extended validation certificates over the past few years. Extended validation certificates are used to provide the highest level of trust and authentication. Before they are issued, the Certificate Authority must verify the entity’s legal existence and identity. To quote the Google Chrome development team:
“On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users. Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them.” ( Source )
Internal bureaucracy, financial reasons, carelessness, or a lack of understanding of the product being manufactured and sold are all possible catalysts, but Ockham’s Razor suggests that it was intentional neglect that caused these vulnerabilities. We have best practices to be used as guidelines, but it’s not uncommon for these guidelines to be disregarded by entities within organizations that don’t fully understand why the guidelines exist in the first place. The CloudPets toys lacked the most basic of security measures, compromising customer information. With Symantec, it was carelessness in oversight of distribution.
One last example will deliver a palm to the face to anyone in the software world. Miele Professional is a company that manufactures medical grade washers and disinfectant machines to be used in hospitals. Hospitals, as you may or may not know, have very strict guidelines with regards to patient information under the HIPAA compliance act. Mid-November 2016, security researchers discover a vulnerability in the dishwasher. The dishwasher runs a web server that is vulnerable to a directory traversal vulnerability found at CVE-2017-7240. When the security researchers submitted the data, they received no response from the manufacturer. It is evident that Miele was not staffed and prepared to deal with the complications a web server can cause and the risks associated with it. While there are theoretical advantages that one could contemplate, the idea that a washer needs not only internet connectivity but the capability to run a web server is one that really should have had more time spent at the drawing board. At many security conventions, this lack of oversight is the source of many jokes. All joking aside, the slope is slippery and riddled with danger.
As someone who is still green to this industry, it baffles me that these seemingly blatant flaws regarding handling customer assets, product design neglect, and best practices are as frequent and widespread as they appear to be. I’m left asking several questions: Do companies think consumers just don’t care and/or are too uneducated to understand these product issues? Is the bottom dollar worth risking your company’s assets by rushing a product to market that could cause your customer’s information to be put at risk, and thus lose confidence in your brand? What can an engineer do when they are faced with pushback, deadlines, and ultimatums that cause severe flaws in their designs? These questions need answers, but each organization is going to have different answers to said questions. If these questions are not being asked, stories like the ones above will continue to steal headline spotlights.