Any product has a limited lifespan, determined either by its purpose, parts or the manufacturer. In the past, a product may have been repaired/replaced in the event of a fault but was otherwise unsupported. With the Internet of Things (IoT) the role of the manufacturer is metamorphosising.
By Ken Munro, Partner, Pen Test Partners
Vendors are now seen as responsible for servicing and updating the product over time, incurring more costs. Meanwhile, IoT users are becoming ever more reliant upon smart devices to monitor and manage the home or business.
So what happens when an IoT product reaches end of life or the manufacturer chooses to withdraw support?
Inevitably there comes a point at which the manufacturer will pull the plug. Not all products are equipped to support OTA (Over the Air) updates, for instance, so that in the event of a major security vulnerability there can be little alternative but to can the line and move onto version 2.0. We’ve already seen this approach used in the consumer market where IoT devices are notoriously insecure.
A classic example is the case of TP-LINK’s TL-SC3230 IP Surveillance Camera kit. We reported a Cross Site Request (CSRF) to the manufacturer that allowed the video stream to be compromised remotely ie without the attacker needing to be in the vicinity. Their response was that the device was no longer supported, so they wouldn’t be fixing it.
In such instances the repercussions are few; users are used to lines being discontinued in favour of next generation appliances. But what happens when it comes to more expensive or long term appliances? The price point of products such as white goods might include sufficient wiggle room for the manufacturer to provide a recall. But there are some devices we are simply too dependent upon, making both the discontinuation and recall methods irresponsible and impractical.
Smart thermostats and smart lighting systems are prime examples. These are ‘fit and forget’ items that we do not expect to have to replace frequently. We’re unlikely to manage these proactively, allowing updates to lapse if these aren’t installed automatically, and may not even realise when support is withdrawn.
Overtime, the sheer scale of deployed IoT will result in a bank of exposed devices in millions of homes and businesses. It will be an attacker’s playground allowing devices to be hijacked and used to feed botnets dwarfing that created by the Mirai exploit. We can also expect to see other attacks such as malware and ransomware, with the user blackmailed into paying to get back control of their heating or lighting systems.
At this point, whether they consider themselves to blame or not, we could see some substantial lawsuits against vendors as users seek compensation for loss of service. A civil case arguing the user could not access heat or water, regarded as a basic human right, would be difficult to defend against.
So what should IoT manufacturers be doing to guard against this? One radical solution is to fit devices with a kill switch to solve the problem of having an army of vulnerable devices.
Mobile device manufacturers build in kill switches as a matter of course and in December 2016 Samsung took the unusual step of forcing an update for the Galaxy Note 7. They’d already issued a product recall but decided to activate the switch to eliminate those that had not been returned. Granted this was carried out in the interests of customer safety rather than self-preservation of the brand; without just cause such an approach could backfire making it a last resort.
Another solution is to monetise support itself with users paying a subscription to ensure their product is serviced. This makes it financially viable for the vendor to continue to bankroll security updates and, even in the event that the update has to installed by the user, they can demonstrate they had exercised a duty of care and fulfilled their obligations.
Alternatively, vendors may seek to shift more culpability on to the user - advising on recommended installation and configuration could help protect their back in the event of a compromise - but vendors are going to find it difficult to revise their T’s and C’s in this way without alienating users and the impending standards now being brought in to regulate the IoT sector will further tighten requirements.
Users can of course take steps themselves. Segregation, whereby IoT devices are air-gapped from the Internet, will ensure those devices which aren’t supported are more secure. In the home environment this would require setting up a secondary LAN purely for IoT devices which could be outside the capabilities of many.
For now, manufacturers and users alike seem to be sleepwalking into a future heedless of how support will be sustained. The recent Security by Design Code of Practice issued by the UK Government suggests manufacturer could include information ‘stating the product’s minimum support period’ but will users appreciate this means their device becomes vulnerable to attack after this time? The IoT presents us with a very different challenge, requiring a different solution, to the throwaway culture that has preceded it.