Imagine reading a headline in tomorrow’s news stating that your neighbor’s identity was stolen and their life savings cleaned out by criminals who entered through their ‘smart’ washing machine.
Ridiculous, you say? Well, have you checked your own home Wi-Fi network lately?
You might have several connected household gadgets and other internet of things (IoT) devices tethered wirelessly through a misconfigured router with no firewall settings. Is the firmware current? Are security patches up to date?
Still not convinced this is a serious problem? Then consider this glaring example of how dangerous an outdated device can be.
In June, Western Digital My Book NAS owners worldwide found out that their devices were mysteriously factory reset and all their files were deleted. My Book Live and My Book Live Duo are personal cloud storage devices.
When the WD product users attempted to log in via the web dashboard, the devices responded that they had an “invalid password.” WD My Book owners could no longer log into the device via a browser or an app.
My Book Live and My Book Live Duo products experienced data loss due to a security incident, according to the Western Digital website. WD informed customers that the company would cover the costs of eligible users with qualifying products to recover their data using the data recovery services (DRS) provided by a Western Digital-selected vendor.
The company promised to cover the costs of shipment of the qualifying product to the DRS vendor and for the data recovery service. Any recovered data would be sent to the customer on a My Passport drive.
Western Digital confirmed that “some My Book Live devices are being compromised by malicious software.” The company also confirmed reports this has led to a factory reset that erased all data on some customer devices.
The My Book Live device received its final firmware update in 2015. The June 2021 statement from Western Digital suggested users disconnect their My Book Live devices from the internet to protect the data on their device.
The My Book Live vulnerability shows there is still a long way to go in IoT security. Much attention has been paid that such devices are not hardened or built according to best practices, according to John Bambenek, threat intelligence advisor at Netenrich.
“In this case, we see that devices are being built that are meant to outlast their vendor’s support commitments; so not only are they vulnerable, but consumers cannot protect themselves either. Whether it is data loss, ransomware, or DDoS, these issues will keep recurring until vendors commit to protecting their customers,” he told bluehillco.
Flawed Business Model
Original equipment manufacturers (OEMs) take no responsibility for this fiasco, as their aging connected devices are no longer for sale.
However, most customers are not aware that these devices actually have an expiry date, and consumers are not alerted to the dangers of continuing to use unpatched firmware, with countless outdated connected devices waiting to be infiltrated by opportunistic attackers, suggested Asaf Ashkenazi, COO at connected devices security firm Verimatrix.
“OEMs should either transform their business model to sustain a long-lasting software update service or install more sophisticated tech that would make hacking these devices much more difficult,” he told bluehillco.
Ashkenazi is not outright blaming problems like the Western Digital fiasco on the OEM industry. The problem is with the business model. No standards exist to regulate how IoT devices should be maintained and secured.
“Unfortunately, I do not see anything that is addressing the standardizing of security on these IoT devices. Maybe the government or consumer protection, or some companies will decide to build a consortium that will say who is responsible,” he said.
A need definitely exists for more transparency in terms of the level of support for the software on these devices. Nothing can be done to deal with the problem until the industry decides to pick up that challenge, he added.
Education and Consumer Pressure
It will take an educational awareness effort to make consumers mindful of the dangers inherent in buying insecure IoT devices. That can then translate into enabling consumers to consider device security as part of their buying decision, suggested Ashkenazi.
Most consumers are now clueless that devices endemic to their household can be connected to the internet through their wireless routers. If they have a device that connects to the network, they need to make sure that the device’s software is updated, he added.
“When the software is no longer updated, the device can be dangerous to use.,” he warned.
The goal, as Ashkenazi sees it, is to first protect consumers. Then he hopes that consumers will put enough pressure on manufacturers that companies will start to say how long they are going to support the software.
Apple, Google, and some other big companies are saying that for certain devices. But for a lot of the other devices, the companies after six months or so stop supporting them. Consumers continue using these abandoned devices because they otherwise appear to be working fine, he said.
Consumers must be just as meticulous as enterprise businesses when it comes to cybersecurity. Enterprise security teams understand that vulnerabilities come in all shapes and sizes, observed Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a SaaS provider of enterprise cyber-risk remediation.
“In the case of the Western Digital My Book Live devices, threat actors took advantage of a daisy-chained set of circumstances to wipe the data from exposed hard drives. Consumers should have known to keep the drive firmware patched, and to only connect the drives to the internet when needed. However, where does the responsibility fall? On the consumer or on Western Digital? There is not a clear-cut answer,” he told bluehillco.
One of the main problems with IoT security at the present is that the rush to market often deprioritizes security measures that need to be built into our devices. This issue has made many IoT devices low-hanging fruits for criminals interested in stealing sensitive data and accessing exposed networks, noted Stefano De Blasi, threat researcher at Digital Shadows.
“Additionally, criminals can exploit vulnerable products by leveraging their computing power and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware,” he told bluehillco.
Cybersecurity Blind Spots
IoT security, or the lack of it, suffers from industry shortcomings. The primary issue is that traditional vulnerability management tools do not scan past the operating system. Thus, they do not detect any security issues or vulnerabilities in the firmware layer, according to Baksheesh Singh Ghuman, global senior director of product marketing and strategy at connected devices security firm Finite State.
“The secondary issue involves device manufacturers, who are often in charge of performing device security despite commonly lacking the appropriate security controls to scan for firmware layer vulnerabilities,” he told bluehillco.
It’s important for manufacturers to conduct a thorough analysis for vulnerabilities of any kind, and if they discover any, inform potential users about available firmware upgrades and patches, he recommended.
“It is a very reactionary process, unlike the automated proactive process found in enterprise vulnerability management practices. As a result of these factors, firmware vulnerabilities are often ignored and become cybersecurity blind spots which draw the attention of threat actors,” said Ghuman.
IoT Security Complicated
Depending on the industry and application, providing a patch is not always available. In the case of consumers, patching is a twofold process, according to Ghuman.
First, the device manufacturer needs a standard upgrade process in place to push upgrades/patches to their devices. The second step requires the spread of consumer awareness about the need to upgrade and patch vulnerabilities.
“This is quite challenging because it requires constant reminders and education regarding cybersecurity hygiene,” said Ghuman.
Device manufacturers can take a few steps to prevent more episodes like the Western Digital dilemma, he suggested. Those include:
- Making sure there is a product security group present within their organization;
- Incorporating firmware layer vulnerability management as part of their overall product development and product security programs, so that they can detect firmware layer vulnerabilities before they are distributed;
- Proactively scan for exploitable vulnerabilities in their firmware and, if discovered, quickly develop patches; and
- Having a standard and secure firmware upgrade process in place which pushes patches as they become available.
The consumer move to a preference for digital-first interactions will grow the potential threat landscape that can be targeted by attackers, observed Tyler Shields, CMO at JupiterOne. More apps, more data in the cloud, more digital experiences, mean more targets of both opportunity and chance.
“There will be a continued increase in data compromise as we move more and more of our daily life into the cloud. We have really only just begun to see the expansion of digital experiences and the attacks that will grow alongside them,” he told bluehillco.
Security has always been offset by ease-of-use. The cybersecurity vendor community must drive toward creating easy-to-use cybersecurity experiences that deliver an acceptable level of security to the technologies that the consumers demand, according to Shields.
A good example of this is the move to single sign-on and password-less authentication. Users have failed to maintain proper passwords for decades, and that situation will never change. Therefore, innovation must build an easy-to-use alternative that provides appropriate security with a much better user experience.
“Enterprises have to find the right balance of technology innovation alongside security for traditional models,” he said.