There is something about a closed-door meeting that seems to spark everyone’s curiosity. We cannot help but wonder who might be the subject of conversation or what is so secretive. So, when two heads of state meet privately sans their usual entourage, as the leaders of the United States and Russia did recently in Helsinki, minds everywhere start to race. While many waited for press releases to learn about the conversations that took place, according to a recent article in Defense One, some in China may have tried to become the proverbial ‘fly on the wall’ by hacking their way into local IoT devices in the days before the summit. These attacks say a lot about the vulnerability of IoT devices and how high the stakes are to ensure that those devices are secure. Fortunately, there are measures we can take to ensure that devices are protected against such attacks.
As the authors note, the IoT devices that were attacked use SSH (Secure SHell) as a secure remote management tool. The security of SSH resides on the authentication credentials to allow a remote user to log in to the device using a password. These devices should be secure against the attacks outlined in the article if the owners of these devices implemented strong passwords. Unfortunately, most users never change their IoT device passwords from the default password. This weakness allows hackers to use known default passwords or known patterns of default passwords. According to the article, the China hackers ran programs that threw thousands of passwords at the devices in order to find one that would work. This type of attack is easy to automate; you just write a script, start it running, and then wait until you get a hit.
So, the first and easiest step we can all take to improve IoT security is to ensure that we implement strong passwords on all our connected devices. And while that is a clear solution, unfortunately, there is no way to ensure complete compliance of this procedure by all consumers of IoT devices around the world. Another approach is worth considering but would require the cooperation of manufacturers of IoT devices: SSH can use both password-based authentication AND public-key authentication. Rather than use only password-based authentication with a default password, manufacturers could default to public-key authentication and only enable password-based authentication once the device owner sets a password. With this change, conscientious device owners who set passwords would get the strength and convenience of password-based security, while those who do not set passwords will at least have some security on their devices.
This is not to say that there are any fail-safe approaches. Device security is difficult. Manufacturers need to consider security from the beginning of the design cycle, and consumers need to take responsibility for security of the devices in their possession. Any bolt-on security solution or quick fix is going to have vulnerabilities that smart hackers will seek to exploit. We all have to do our part to implement security because, as seen from recent events, the vulnerability of our devices is real, and the stakes are high.