The BIG READ. Mozilla has published the full version of its long-awaited Internet Health Report 2018. Chris Middleton looks at what it has to say about the Internet of Things, and finds that unsecured devices are an unnecessarily big problem. But what can we do about it?
Somewhere in Vietnam, a man is searching for a shoe box in a storage room; a woman is slicing bread in Argentina; a student browses in a New York book shop, and a child sits restlessly on his mother’s lap in a pharmacy in France. Meanwhile, a woman puts documents on a photocopier in South Korea, a man dives into a swimming pool in the Czech Republic, and a woman sits with her children in a Spanish cafe.
What do all of these people have in common? They’re all unknowingly being live-streamed on the internet by online security cameras that have no passwords assigned. These people don’t know they are being watched by anyone who looks for insecure cameras on the internet, says open source internet organisation, Mozilla.
Here’s looking at you…
Inevitably, online platforms exist to help people surf unsecured cameras, by linking to tens of thousands of unprotected devices worldwide and streaming their feeds live online. Some sites are committed to removing private or “unethical” devices from their filtered lists, which are sourced from unprotected cameras in hundreds of towns and cities throughout the world – many in shops, offices, gyms, and other public spaces. Others presumably don’t share these scruples.
Some sites even allow visitors to browse by camera manufacturer, including most of the popular electronics brands – a roll call of shame when it comes to IoT security.
Whoever set up each camera could choose to restrict access with a password. Without that protection, these people are broadcasting to the entire world via the internet – no matter what they happen to be doing. They don’t have to be hacked, and among their numbers may be people in their own living rooms or bedrooms, schoolchildren in classrooms, or business people engaged in private meetings.
Increasingly, remote viewers of unsecured cams might be able to find out who people are, via image searches, social platforms, and facial recognition algorithms. Monitor the same cam over time, and it could be possible to piece together a detailed picture of someone’s life. In China, authorities plan to do exactly this with a compulsory social monitoring scheme involving the country’s entire population.
“We are beginning to see the health of the internet as not just a technical issue, but a human one,” says Mozilla of the growing problem. “Cybersecurity is often portrayed as a ‘hacker’ problem, but it’s also deeply intertwined with the health of the internet ecosystem as a whole.”
So is the internet healthy?
To help answer this question, Mozilla – which campaigns to keep the internet as an open, public resource and develops products such as the Firefox browser – has just released its Internet Health Report 2018. The document explores every aspect of internet usage today, from browsers, search, and the distorting influence of online advertising, to fake news, social engineering, and security.
The report finds that while some aspects of the internet are improving, including access, affordability, and encryption, others are getting significantly worse, including censorship, online harassment, and energy use.
One of the key areas that Mozilla identifies as a growing problem is the booming Internet of Things. “Up to 30 billion devices will come online by 2020, including insecure webcams, baby monitors, and other devices that can be enslaved and collectively wielded as a weapon,” says the report.
“Securing the Internet of Things will be a challenge of correcting poor software, hardware, and governance practices that make the internet fragile. Who do we hold accountable? And how do we find meaningful ways to keep things healthy and safe? There will need to be more than one answer,” it says.
Do not pass go
Mozilla says that for every device that either lacks a password, or uses a default or guessable one, the internet becomes increasingly fragile and dangerous. Despite this, rising numbers of people buy connected devices without thinking about securing them – as long as they work.
Anyone who doubts the need to secure their devices should search for “unsecured cameras live” and witness the extent of the problem for themselves.
“Fitness trackers, kitchen appliances, light bulbs… This year, we will be listened to, watched, recognised, and recorded by phones, digital assistants and cameras like never before,” says Mozilla. “Data will be collected that is vulnerable to hacks and breaches.
“Do cars share our driving habits with insurance companies? Do vacuum cleaners trade in information about the layout of our homes? To most people, these are hypothetical risks, outweighed by the enjoyment of the Internet of Things. But the reality is that the ‘attack surface’ of the Internet is growing and we have already had a taste of the nasty consequences.”
So what are those consequences?
The report shares one of the most high-profile examples. In December 2017, three young men pleaded guilty in a US federal court to creating a strain of malware called Mirai in 2016. The global impact of their work was extraordinary: the malware enslaved untold thousands of webcams, baby monitors, and other devices that retained factory-default usernames and passwords. Having marshalled these global computing resources, the malware performed targeted DDoS attacks to bring down websites and networks worldwide, says Mozilla.
“When the authors publicly shared the code to obscure their own identity, Mirai botnets multiplied, and began competing against each other (and still do) for control over devices around the world,” continues the report, “eventually succeeding in temporarily shutting down parts of the internet in the US and Europe, through a large-scale attack on the internet performance management company, Dyn. In Europe, banks and internet service providers were extorted. In New Jersey, a university was.
“Offering ‘security services’ (veiled extortion) was part of the devious original plan of Mirai’s authors, as was racking up dollars by creating fake botnet traffic on online ads. At the time, some security experts suspected government actors like China or Russia must be testing the resilience of the internet. The actual villains were less ominous, but the risk of all these insecure ‘things’ still exists and the scale grows bigger with every new connected device.”
Industrial and public impacts
Despite the hype around gadgets and home appliances, among the industries that will be most impacted by the IoT will be healthcare, transportation, energy, and utilities, warns Mozilla – sectors that all perform critical functions within human society.
The recent Verizon report on data breaches confirms these findings: 24 percent of all attacks last year were levelled at healthcare organisations, for example, with private data and medical records being among the biggest targets.
For these organisations, the IoT offers unprecedented opportunities for improving the efficiency and quality of public services, health, and infrastructure with data, analytics, and smart services. However, today’s “throwaway culture” means that internet devices are rarely designed to stay safe and secure over time, warns Mozilla.
So who do we hold accountable when the path from manufacturer to consumer is so opaque? asks Mozilla. The organisation suggests a range of possible solutions. These include:
• Regulations and industry codes of conduct to ensure the use of strong, random, and unique passwords on connected devices.
• Technical security devices that form a shield around a person’s personal IoT network.
• Dependable trustmarks for IoT – like the labels on organic food or energy efficient appliances.
Trustmarks are an interesting solution to the unsecured device problem – and in the UK, the government has introduced plans to label connected devices with a ‘traffic light’ scheme to reassure buyers about levels of security.
To explore this option further, Mozilla engaged Thingscon – a global community of IoT practitioners – to produce a dedicated report on the topic.
The Thingscon report says, “All the marks of a healthy internet also need apply to the Internet of Things: Openness, inclusion, decentralisation, privacy and safety, as well as literacy. However, in the world of IoT, some of these aspects are in ever stronger danger than in the rest of the internet. And here, users are even less equipped to make smart, healthy and sustainable choices.”
Thingscon agrees that a trustmark for IoT devices and services would be a workable – if partial – solution to IoT security, at least at the device end.
According to the organisation, it would “empower consumers to make informed decisions on how to vote with their money, and force producers of IoT products to show their commitment to good practices and IoT health.”
“The IoT faces a number of specific challenges and risks that go beyond other digital services, including surveillance, risk to physical safety, and that a remote software update can change devices in unexpected ways,” continues Thingscon. “Having these risks in mind allows us to better consider IoT trustmarks.”
The ability of IoT products to remotely receive software updates is one of the IoT’s biggest strengths, but it is also one of its most significant weaknesses, warns the organisation.
“This is because, a) if there are changes to the producing company (e.g. change of ownership, new strategy, bankruptcy), the products can cease operation, and b) software updates can significantly change the product itself, for example by enabling or disabling features or sensors.
“Increasingly, consumers even face ‘hidden IoT’ devices: products that are not sold as smart, and yet are ready to be connected, and/or contain sensors that could be activated with the next software update.”
For buyers and users, it’s nearly impossible to know the exact capabilities of connected products, warns Thingscon. “To make matters worse, even a comparatively secure device can be compromised if it is paired with a less secure one. Hence, the health of IoT is only as strong as the weakest link in the network.”
This is why buyers must be able to make an informed decision about IoT devices before buying, and transparency is an essential first step. At any given time, consumers should have a clear answer to four simple questions, says Thingscon:
1. Does the device do what I expect it do do?
2. Is the organisation trustworthy?
3. Are the processes trustworthy?
4. Does it do anything I wouldn’t expect?
An IoT trustmark can help answer each of these questions, concludes Thingscon.
However, it’s worth taking a moment to ask what constitutes ‘trustworthy’ technology, adds the organisation. That definition should be clear:
We consider tech trustworthy when it considers all stakeholders, takes a long view and sustainable approach, focuses on value creation rather than extraction, and if in doubt, it errs on the side of openness and empowerment.”
Internet of Business says
Internet of Business is committed to providing solutions to security problems, as well as to reporting news of any emerging or common threats. Here are some of our recent reports on this challenging problem, and on related areas.