Gadgetory

hello my name's Gary Sims from Android Authority now you've probably heard of this term Internet of Things things that are connected to the internet everything from a mobile phone to your PC to light bulbs fridges security cameras things that are kicked into the internet and you also probably heard recently in the news that there is some security concerns about the whole idea of the Internet of Things well what are those security problems what are the challenges that are being faced today by IOT manufacturers well let me explain so first of all let's just do a quick overview what is IOT the ease of things it basically means anything that's connected to the Internet now previously we've used the internet through connected things PCs laptops smartphones tablets but now we're into a new era where there are devices kept to the internet that are not being used or interacted with by people all the times when I use my mobile phone to connect to the Internet to browse the web or to use an app that needs the Internet I am kind of controlling what's going on but there are a whole bunch of new devices that kind of sit independently on the Internet and we want them on the internet because we want to be able to talk to them at some point during a day or during a month for example if I have a security camera that's recording things that going on in my home I go away on holiday then maybe I want to just kind of log in and see what's happening around my house to make sure everything is okay so I'm not controlling it directly but I'm kind of querying it or kind of looking at it once in a while now there are reports that are suggesting that we already have over six billion into the fing devices on the internet already and that number just going to grow it could grow as much as up to 20 billion within the next few years now the problem is is that when you use your PC or your laptop or your smartphone it's got a whole bunch of security features built into it firewalls for example maybe antivirus maybe there are some security issues inside the actual computer selves like address space randomization you don't even see but I know it's there and the people that build these things know that there but these things seem to be missing from the internet of things so why is that and what's the problem and how do we fix it now the reason why this has come to the forefront recently is because websites like Twitter and many other popular websites went down for a day or so because they were suffering a thing called a denial of service attack in fact it was a distributed denial of deserve service attack now what does that mean basically if a website offers a service like Twitter any popular website to be able to use it you need to be able to access it and if you bombard that website with too many requests too many users but not real users fake users then the service can't cope but it just groans under all that stress of all those requests coming in and so what hackers do is they target certain servers in this particular case a targeted a service called Dyne for dynamic dynamic naming that you actually provide the host naming the DNS service for sites like Twitter and quite a few other popular ones and they target that particular service now think about it there are millions of people that use services like Twitter and Facebook and all we've on every single day so having a million users or 10 million users isn't an issue for these services so to really bring them down to their needs you have to really send literally gigabytes of data packets requests to these services in a very short amount of time and the only way to do that is not through one PC or 10 pcs you need thousands and thousands of PC now in the past what would happen is that maybe a PC was infected with a virus of some kind and that virus had behind it a command and control center which was used by hackers to tell that PC now start sending requests to this particular website and if you replicate that over thousands and thousands and thousands of machines then you could start to bring the the web service got down to its needs a denial of service that service was no longer available now what happened recently was when Dyne was attacked hidden and Twitter fell and because of and the other sites because they this was a unique type of attack it wasn't launched from a PC which many have been launched before but it was actually launched using IOT devices particularly was launched using a set of security cameras and some network attached storage now why is that well a few little while ago a few months ago a new piece of malware was released on the internet that just searches for IOT devices and tries to take them over and tries to use them for their nefarious activities now why was that so simple as I said on your PC you've got a firewall you've probably got antivirus that are a whole bunch of security features built into your PC but we're discovering is that all of these IOT devices security cameras networked towards light bulbs whatever they are have no security whatsoever in fact they even maybe have a default access like you can log in using admin admin or you know admin password or something like that and what's happening is these devices are coming out of the factory consumers are buying them and actually they're exposed to the Internet and because they've got Internet connectivity they've actually got a small computer inside of them maybe an arm microcontroller or maybe even a cortex a protist of course it's a five or a cord it's a seven and they might be running something like Linux or one of the simpler microcontroller operating systems now that means they've got full internet connectivity the protocol Bluetooth they've got image processing they've got lots of computing power and the hackers are able to take those over and use them to launch these DDoS attacks now what that really means is that IOT developers really neat up their game when it comes to writing the software for these devices I mean I I remember not even only a few years ago I would get pieces of equipment from making my telco provider that the default password was a headman Adly now the latest one that I got actually the password was I think it's like 16 characters long maybe even more quite long and it's labeled on the back of the modem and that's different for every single device so you can't just log into all of these mo using the same username a password you happy has a unique one and it's a strong one and that's what all devices need to be able to do at the moment that this is not happening so here's a quick checklist of things that need to happen from a developer's point of view and consumers need to be aware of it so that we bring up these IOT devices up to a certain level of reasonable security now the first one of course is authentication you can't just login with admin admin or admin no password and that is exposed on the internet so anybody can just start finding an address of a machine and just connect to it and do whatever they want to it that's just not allowed has got to have decent authentication the password needs to be unique for every device that rolls off the factory and that password needs to be kind of on a label or something so the owner can log into it but other people can't the other thing that I ot developers need to be really care about is leaving any kind of debug interfaces it's this so many examples of people who thought they would leave some kind of hidden backdoor because that helps them to kind of perform Diagnostics it helps them to kind of monitor what's going on with their devices but actually even they think they're hidden security through obscurity that doesn't work in the end it's discovered in the end the password is found out and then all of those devices it could be millions of them across the world are then suddenly laying bare for hackers to get into course every IOT device should use encryption if it is doing things if you are talking to it is uploading things in the cloud if it is sharing data that should all be encrypted so that only the people that are made to see those piece of information can see them and never transmit passwords in the clear never transmit personal data in the clear if you can do don't run any data in the clear always send it with encryption and the same for privacy you don't want these IOT devices to reveal things about where they are and who the owner is and how long they've been running and what you know always kind of stuff that needs to be hidden that only the right people can see that and if there is a web interface built into the device it needs to basically be a robust web interface shouldn't be open to things like SQL injection vulnerabilities or it shouldn't be open to cross-site scripting vulnerabilities it should really be a secure web interface and lastly but not least every IOT device I mean every IOT device from a microwave oven to a light bulb to a really sophisticated home security system or even to things that are monitoring factories and cities every IOT device should be able to be upgraded so that when and I say when security issues a fan because they're always going to be found but when security issues are found the devices can be upgraded and those security vulnerabilities can be closed but there's a key thing about this when an upgrade performed the device needs to check that it's actually performing a legitimate upgrade a legitimate update to its firmware and that's done using signing that software should be signed using certificate and the device should check little certificate has the right signature on it and only then should actually say it's going to upload and install the new firmware now why are we in this situation well basically the problem is cost a lot of these devices are being aimed at the consumer market and basically the companies that are making them are saying we want to make this quick we want to make it cheap and want to get it out the door and security is like issue number 522 on their list it's not important to them at all now we as consumers have power to make sure that it doesn't happen anymore don't buy IOT devices that you've read reviews of them on the internet and you discovered that they don't treat security well don't buy IOT device that don't offer a firmware upgrade path so that when there are security issues found they can be upgraded just don't do it and then the power of the consumer will force these companies to take security seriously I really mean it if you do it if you buy cheap IOT devices that don't have a security model that don't have a security answer then you're actually just going to propagate this problem and make it worse so be a sensible consumer and buy products that have got a track record with curity now maybe it isn't the developers themselves that our fault although ultimately of course they're the ones wrote the code but probably this pressure is coming from higher up in the company from management from product management from the bosses who are saying we want this now we want it cheap and we don't care about security but a word to those type of people just notice in the end security a lack of security will actually be your downfall because if it comes out that your device is responsible for certain sir certain activities and your device was insecure and in fact you had a very blase security attitude then actually that could be the downfall of your whole company you lose everything let me give you a simple example there was an example where Charlie Miller and a colleague of his actually managed to find some security vulnerabilities in a Jeep and they told Jeep about these problems and Jeep basically didn't do anything about it and then after a certain amount of time Charlie Miller and his colleague went ahead and actually published these findings and then Jeep were forced to recall all of their jeeps and make certain modifications to them and that cost them billions of dollars now it wouldn't have cost some billions of dollars if they took security seriously it wouldn't have cost them billions of dollars to employ a few people whose job just was to look at and test and check the security on their cars now you might be not a big company like Jeep but if you're trying to sell products and then you find that people no longer buy your product because they've got a bad name then you can go out of business and you're going to lose your money you're going to lose your livelihood so it's important to make sure if you are a manager if you are a boss of a company making electronic equipment make sure security is key it's top of your list because that could be your downfall and consumers have the power to do that now it isn't all doom and gloom there are lots of solutions out there I'm just thinking now things like Linux of course that comes with lots of good solutions including firewalls if you're dealing with microcontrollers you've got things like free are toss that's an operating system real-time operating system that's got lots of built-in security features and then of course there's things like embed OS from arm that offer not only just a real-time operating system for microcontrollers for IOT devices they arm actually offer a whole range of services from the programming of the device including the servers in the cloud and including all the stuff to do with firmware upgrades and device deployment and end-of-life management and all these things they have everything and that all part of the EM bed OS ecosystem if you buy into that when I say buy actually it's really not a piece of like that most of that stuff is actually open-source freely available if you invest into that then you pretty much guarantee that you're going to get yourself an IOT device that is covered through all its different phases so there we have it basically IOT the problem at the moment is people are producing cheap quick devices they put in lines yet they don't have any concern about security but you wouldn't buy a PC that does that you expect your PC to have a fire we expect it to have some kind of Windows Defender some kind of antivirus you expect it to have updates Microsoft issue updates every month Apple issue updates the next distribution up updates it's always being upgraded to fix and repair security issues now we need to have that same mindset when it comes to buying connected devices that are permanently on the internet and actually are part of our lives security cameras and things like that we need them to work properly and we need them to be safe you don't want people spying on your house while you're away because they hacked into your camera you don't want that baby monitors that was a terrible example people hacking into baby monitors and they could see what your pay doing you don't want this kind of thing you want to make sure you buy secure devices well my name is Gary Simms from Andrew authority I hope you enjoyed this video if you did please do give it a thumbs up don't forget to subscribe to and royal authority youtube channel download the end or authority app because that way you'll get access to all of our news and features directly on your mobile phone and last but not least don't forget to go over to andrew authority comm because we are your source for all things Android