References

A Brief Survey of the Vulnerabilities of “Internet of Things” Devices

This report was originally completed in December 2016 and has been adapted here as an article.

Our project is the culmination of research done on unsecured “smart” devices (i.e. web cameras, printers, security systems, etc) connected to the Internet. It contains an experimental dataset of said devices, which serves as the backbone for our analysis of existing trends across manufacturers of network-connected devices. We also produced several visualizations of our data. These include a custom Google Map, and graphs that show the percentage of unsecured devices by manufacturer. Finally, we produced a policy proposal for how to better secure IoT devices and protect larger companies, which takes the form of several recommendations and standards that companies and individuals should adopt to secure their infrastructure.

We hope to show that despite the insufficient security that default passwords provide, a significant number of users still do not change the default passwords on their IoT devices, which makes these devices vulnerable to otherwise preventable attacks and allows for the aggregation of personally identifiable information. This should be alarming, given the growing ubiquity of interconnected devices and their usage, and substantive action at the individual and policy level should be taken to address this new risk.

We first modeled different threats against the security of IoT devices in order to characterize their most obvious vulnerabilities.

The results we received in response to these queries were not limited to a single geographic region or type of device; rather, we were provided a range of global devices and systems including cameras, printers, routers, and security systems. From these hosts, we identified and tested a sample of 201 IoT devices located within the United States which were either unsecured (no credentials required), secured by default credentials, and secured by custom credentials.

We subsequently compiled a dataset containing the following information regarding each device:

For those devices which listed their locations by default as the approximate geographic center of the United States (38, -97), we queried Shodan using the IP address in order to cross-reference the correct latitude and longitude. In the cases where the locations listed by Censys and by Shodan were different from each other, we used the location listed by Shodan.

For the purposes of the above database, we defined private and public devices as follows:

Public cameras are generally those for which owners are aware of their activities being watched or their feeds being accessed, or those with non-human subjects. These cameras will often …

Private cameras are generally those for which owners are unaware of their activities being watched or their feeds being accessed. These cameras will often …

From the database we created above, we generated a custom Google Map (available upon request) plotting the 201 devices according to the locations listed in Censys and Shodan. Our confidence in our dataset was validated by the observation that the density of our sampled IoT devices corresponds well with the population density across the United States, as shown in Figures 3a and 3b.

For convenience’s sake, clicking on any plotted device elicits an auto-generated pop-up window with corresponding device details found in the database (Figure 3c). The map also allows us to easily toggle between different types of categorization schemes, including coloring by manufacturer and model, level of security and level of access, type of device, public/private, and installation context. Trends within each of these categorization schemes will be described below.

Of the 201 devices we sampled, 46 were TRENDnet devices; 48 were IQinVision devices; 97 were Geovision devices; and 10 were Brickcom devices.

These are some of the policy recommendations that we formed, based on the results we encountered. They are by no means meant to be comprehensive, but simply a sampling of the sorts of thinking that would reinforce the general security of IoT devices:

Consumers:

Developer:

Developers should generally focus on using secure development methods, secure operating systems, software, and bolstering hardware security. They can do this through the following measures:

1. Encrypting the transmission and storage of credentials and video feed.

2. Improving usability by updating the interface, increasing user interaction with said interface, and making security options more readable is one fundamental way to improve basic security. This can be accomplished by moving away from using outdated or discontinued software for IoT devices, given that the implementation of such software on other devices (i.e. mobile or computers) would immediately trigger red flags for developers.

a. For example, the security level requirement for applications not on the Exception Site list for Java is normally high or very high — requiring a certificate from a trusted authority. During the course of our research, however, connections to some devices routinely required their addition to this exception site list through the Java Console. This then enabled an unsigned connection directly to their IP addresses — which highlights the weak encryption requirements for many IoT devices.

3. Rolling back devices that are discontinued and that operate on such outdated software would thus also be a wise move for developers.

Securer:

Industry Wide/ Government Regulation

In addition to broadly adopting the recommendations that consumers, developers, and securers can individually adopt, we believe that the following recommendations would be useful if implemented at the industry and government level:

Brickcom, for example, states the following as the principles it’s dedicated to:

As we’ve noted before, Brickcom states that it also:

Geovision states this about their “industry-leading” product line:

IQinvision states the following as guarantees about their IQeye camera (a product that we encountered multiple times in our research):

TRENDnet’s mission statement is as follows:

While we have currently completed a dataset of representative IoT devices from 4 manufacturers, we hope to expand the scope of our analysis moving forward. To this end, we will identify more IoT devices by downloading an SFTP client to access devices that require an FTP connection; generating and testing additional search strings on Google as well as on Censys; and visiting forums such as 4chan and SomethingAwful to explore known vulnerable devices. In order to further characterize the distinction between levels of access (unsecured feed only vs. admin privileges) and installation contexts for unsecured devices, we will utilize Insecam, a website which displays an aggregate of unsecured IoT devices. Once we have identified these additional devices, we will further test pairs of default credentials found in the Mirai botnet source code.

Finally, in order to better characterize manufacturers of network-connected devices and strengthen our policy recommendations and standards for companies and individuals, we will create additional interactive visualizations that will allow readers to explore the trends they are interested in. These visualizations will include a history of flaws and improvements in IoT security; graphical displays of the relationships between manufacturer and model, level of security, type of device, and installation context; and an interactive map that will plot IoT devices according to any chosen category as well as represent whether these devices are online at a given time of day.

We thank Professor Jim Waldo for his guidance and oversight during the course of this project, and Molly Cinnamon and Katherine Loboda for providing advice during the semester and initial planning process.

Related posts:

The United States has a shortage of people who want to work in agriculture. We’ve gone from most of the population to only one percent of people working in this industry. There are fewer people with…

Malam baru saja menyapa dengan sopan, seperti anak yang bertemu ibunya ketika dia pulang sekolah. Namun darah sudah mengalir dari wajahnya yang masih dibalut dengan riasan. Matanya kehilangan cahaya…

Early childhood education is a stepping stone in a child’s life — “A small step for giant exposure in his life”. Early childhood educators play an important role in a child’s development, they lay…