Non-Secure, Backdoored IoT Devices Could Become Powerful Weapons For Rival Nations

The Institute for Critical Infrastructure Technology (ICIT), a cybersecurity think tank, published a new paper in which it argued that future IoT devices need to be secure-by-design and that there should be some regulation setting minimum security standards, too. Failing that, the group warned that non-secure IoT devices or devices that have backdoors could be transformed into powerful weapons that rival nations could wield against each other.

Mirai, The Beginning Of Massive DDoS Attacks

Since the open source Mirai botnet software was published on the internet, we’ve started to see some powerful distributed denial of service (DDoS) attacks that can take down major websites or at least cause severe disruption to their service.

The attacks were mainly enabled by non-secure Internet of Things (IoT) devices, which are often not designed with security in mind and even come with backdoors or hardcoded credentials. This allows attackers to discover easy entrance into millions of devices and take them over.

However, despite all of this, many experts seem to agree that Mirai is only the beginning. As billions of IoT devices are predicted to come online over the next decade, we could see attacks that are orders of magnitude more powerful. At that point, the non-secure or backdoored IoT devices are not just a threat to a handful of large companies or organizations, but to entire nation states. Massive DDoS attacks could be used to shut down critical infrastructure and cause chaos.

In the report called “Rise of the Machines: The Dyn Attack Was Just a Practice Run” (pdf), which was written by James Scott and Drew Spaniel, both of whom are members of ICIT,  the authors warned that in the future it’s possible that China or other states could weaponize non-secure or backdoored IoT devices and then use them against rivals.

If that’s the case, and it at least looks like we’re heading in that direction, then the governments of all countries need to realize that non-secure IoT devices, or devices that ship pre-backdoored and can later be exploited by anyone, represent a serious national security risk.

Making IoT Devices "Secure-By-Design"

Throughout most of the paper, the authors argued for IoT devices that employ “security-by-design.” What that means is that manufacturers will have to ensure that their IoT devices are developed with security-first thinking. All code will need to be written in a way that won’t cause too many security vulnerabilities later on, and multiple anti-exploit protections will have to be deployed. Both of which should end up saving the manufacturers some money with patching the systems, or even with recalls or lawsuits.

The ICIT authors said that right now, neither the buyers nor the sellers of IoT devices feel any responsibility for the damage their devices cause when they are taken over by botnets due to poor security. The buyers don’t care because DDoS attacks don’t impact their devices in a major way, and the sellers have simply moved on to selling a new version of their product, instead of investing in patching the older one.

Bruce Schneier, a well known security expert, has recently argued that the non-security of IoT devices should be seen as invisible pollution that affects everyone. Therefore, just like with pollution, the only solution is some kind of government regulations on companies polluting the environment.

The ICIT authors also share Schneier’s view that governments should impose some minimum security standards on IoT manufacturers, along with liabilities in case something goes wrong. Companies affected by DDoS attacks from non-secure IoT devices should also be able to sue the makers of those devices.

The authors also said that regulation should be done responsibly so as not to hinder innovation too much. They suggested following security standards similar to those in other industries, such as the healthcare industry, as well as following security best practices such as the ones promoted by the NIST or other relevant agencies.

Backdoors should also be avoided at all costs. The authors said that whatever good may be achieved through them is outweighed by orders of magnitude by the potential of a nation state one day being able to use those same backdoors to attack and cripple national infrastructure of various critical services. In the meantime, backdoors will also be discovered and used by many other “bad guys” for their own malicious purposes.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • vijer
    Ha Ha, I can't get my laptop to consistently connect to various WiFi networks because of different standards, yet hackers can get my camera to attack with ease.
    Reply
  • tmtisfree
    When I see 'regulation' and 'security' in the same sentence, a 'You fool!' association pops in mind...
    Reply
  • COLGeek
    Beware the smart toaster!

    Really though, why folks need some of this IoT stuff is beyond me. Just how smart do we need dumb devices to be?

    Many who complain about privacy and security are the very consumers who buy into this tech (while every waking breath they take is spewed across social media).

    Makes zero sense to me.
    Reply
  • firefoxx04
    I suppose it is too much to ask for the average person to put all their smart devices on a dedicated vlan with heavily redistricted internet access.
    Reply
  • blazorthon
    If I want a smart toaster, smart oven, smart anything else, I still don't see a good reason for these devices to have unrestricted internet access. Most of their functionality is mostly useful on a local network basis, not over the internet. Even then, they don't need to be able to access any websites, just a control device like my cell phone if I want to say turn on a coffee pot on my way home for company.

    While that might not call for extreme encryption or anything like that, simply not letting the devices be capable of accessing anything else over the internet would solve most problems. Also, they can't DoS if they're forced to only be able to send/receive a limited number of packets per second, like, say, one? A coffee pot doesn't need a lot of internet bandwidth nor low latency to be turned off and on remotely.

    That's what gets me about these IoT security problems. They're so incredibly simple to solve. Limit their capability in hardware/hardcoding to only be able to do what they need to be able to do and even if someone gets control of them, their malicious capabilities are diminished by many orders of magnitude. Make them only capable of connecting to the remote control device (cell phone) and they can't even be used to attack corporate or government interests, assuming corporate/government employees use separate work and personal phones like they're often supposed to. You generally can't exploit your way around a hardware limitation.
    Reply
  • virtualban
    Software based planned obsolescence.
    Reply
  • epdm2be
    Who invents those titles? And wth are you guys trying to accomplish? Mass-hysteria? Aren't you guys exaggerating this IoT-doomsay scenario a bit?

    This site is still called Tom's HARDWARE, isn't it? Don't you have some proper hardware reviews to do instead of participating in these kind of intimidating dribble.
    I expect this bs on The Register or Slashdot but not here! :(

    Perhaps some of the commenters can point me to a site with more interesting tech-reviews than Tom's.

    Perhaps you ought to fix your login page instead of this. Because I can't login with firefox (error 403) while it works fine with Iron (Chromium) :-(
    Reply
  • blazorthon
    Considering the start of IoT attacks hammered a huge portion of the internet's major sites, I'd say no, it isn't being blown out of proportion if IoT devices are going to greatly increase in number. If banks start getting hit regularly or anything like that, then some very serious problems will happen. How blown out of proportion is the majority of a population not being able to get their money for food or paying bills?
    Reply
  • Nakal
    FIREFOXX04 - You are assuming people know what a VLAN is...
    Reply
  • problematiq
    18993815 said:
    Who invents those titles? And wth are you guys trying to accomplish? Mass-hysteria? Aren't you guys exaggerating this IoT-doomsay scenario a bit?

    This site is still called Tom's HARDWARE, isn't it? Don't you have some proper hardware reviews to do instead of participating in these kind of intimidating dribble.
    I expect this bs on The Register or Slashdot but not here! :(

    Perhaps some of the commenters can point me to a site with more interesting tech-reviews than Tom's.

    Perhaps you ought to fix your login page instead of this. Because I can't login with firefox (error 403) while it works fine with Iron (Chromium) :-(

    Working in information security, I worry more about the IoS/IoT (Internet of #$%^) than I do about credit card fraud.
    Reply