4SICS: Shodan founder says IoT here to stay despite security holes

News by Roi Perez

According to John Matherly - internet cartographer, security gadfly and founder of IoT-search engine Shodan - the internet of connected things is very much here to stay.

According to John Matherly, internet cartographer and founder of IoT-search engine Shodan, the internet of connected things is very much here to stay.

Referencing the recent misuse of thousands of webcams, harnessed into the Mirai botnet, Matherly asked: “How did we get to this situation?”.

Mentioning the rise in NTP reflection attacks in 2013, another form of DDoS attack, and perhaps the next generation on from DNS-based reflection attacks, Matherly said it could potentially be correlated that the rise of IoT devices and rise in DDoS attacks are connected.

He went on to talk about IPV6 port distribution and the parts of the internet which have to be patched to common web vulnerabilities in SSL v2 and the Heartbleed bug.

Matherly asked, “So what can we do to help mitigate these issues?”One of his biggest gripes is the rise in programming languages which has meant that there is so much expected of the talent doing the programming – the developers.

“And while we're on the topic of developers,” he said, “there has been an explosion in the rise of DevOps which has meant that any developer can be pushing code they have written into production. The culture of checking for bugs and security vulnerabilities has been diminished and it needs to be brought back.”

Likewise, the other problem with relying on talent was highlighted by the problem which node.js ran into when one of the developers working on the open source server-side JavaScript environment left the project, pulled his code from the suppository and suddenly node.js ground to a halt, as it was a critical part of the product.

Matherly said, “Obviously, this should not have happened.”

Matherly went on to speak about the rise in the use of the cloud, and developers not “developing their own images” when deploying software to cloud services like Amazon's Web Services.

Highlighting the issue, Matherly did some scanning, and found that Western Digital has the highest amount of ports open, in the cloud, including ones for the use of Telnet and VNC. This means that their attack surface suddenly becomes “massive”.

And it appears that the era of ‘security by obscurity' is still alive and well, Matherly says. To avoid people scanning for known ports in devices, admins are simply changing default ports to “very very obvious ones”.

And these problems don't go away quickly – Matherly suggested that a particular device he has been researching gives up its admin password when it's simply sent a packet of data –  it literally responds with the admin password. This is a well known vulnerability, thousands in the wild are affected and even worse has been around for ages.

It is because of these issues that Matherly said, “There is obviously more education to do… There are some vendors who are right now claiming to be impenetrable, which is plain wrong.”

He added, “Some even get angry when they are found out and listed on Shodan and even email me to complain.”

“Security by obscurity doesn't work!” he said.

Drawing some laughter from the crowd, Matherly then spoke of different applications of the IoT, particularly the egg minder, which can tell you how many eggs you have at home in case you are, “really craving an omelette.” This drew some laughter from the crowd as it was being placed in the fridge and caused many egg minders to malfunction due to lower operating temperatures if placed in the fridge.

Obviously, this all seems very over the top, but there's a larger point here to be made, where Matherly argues that the IoT is here to stay due to its enticing nature.

Matherly said that the “sexiness” of certain devices is always going to trump the security of those devices because people are attracted to a shiny gadget, rather than something which is secure by nature.

Although Matherly said “the IoT is on the rise, but the world is not ending yet”, he also said that we will not have a choice in using IoT devices soon, giving the example of Samsung who announced that all its future TVs will be ‘smart' ones.

And it's for this reason Matherly questions whether or not we have done a good job of communicating to the public about the issues at hand, and he questioned whether the public were aware of the security risks posed by insecure IoT devices.

Matherly said, “We need to break down tech language, learn to communicate the issues properly and get better at spreading the message, both to product vendors and consumers.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews