Exploring the IoT Afterlife

By, Eric Kobrin

Not only is October National Cyber Security Awareness Month (NCSAM), but it also contains one of my favorite holidays: Halloween.

In the spirit of NCSAM and Halloween, let's talk about Internet of Things (IoT) devices wreaking havoc from beyond the grave.

IoT Lifecycle Standards

IoT devices are implicated in several of the largest DDoS attacks ever seen. These devices often have vulnerabilities such as unpatched software or insecure configurations. Attackers exploit these vulnerabilities to recruit IoT devices into botnets, and then cause them to emit attack traffic.

One way to make this harder for attackers is to develop IoT devices that are initially secure and that can be kept secure over time. This requires some real changes at several points in the development and post-sale-support processes.

Let's imagine a world where these changes have come to pass, all new devices are built to be initially secure, and designed for easy maintenance and patching. Imagine that every manufacturer used a secure development life-cycle, made patching easier for end-users, stopped reusing credentials, and so on.

That imaginary scenario might sound great from a security perspective, but in the real world perpetual patching is unsustainable. It runs into real physical and financial limitations. Eventually manufacturers will have to drop support for older devices in order to develop new ones.

Every new device, even those built with excellent security and a strong story for maintaining that security over time, will eventually age out of support. It will become an old device that no longer receives security patches. It will have reached End-of-Life.

The IoT Afterlife

Old devices are discarded, recycled, or passed on to others. But that's not the end of their story.

They don't all rest peacefully.

Some old devices will rise from the grave: they will turn up in thrift shops, get picked out of landfills, or get donated into disadvantaged communities. They are past End-of-Life, but have returned to service.

The IoT afterlife is a scary place.

These unpatchable devices will pose a public safety hazard whenever they reconnect to the Internet. They can be recruited into botnets, and there will be no patches provided to fix their vulnerabilities.

Besides direct use in attacks, these undead devices may also put previous owners' privacy at risk. They might leak personal information about their previous owners. They might connect to services using remembered credentials, granting future owners access to past owners' accounts.

Afterlife Management

Let's explore three options for what to do with a device once it can no longer be maintained by its original manufacturer.

The ubiquitous default is for the device to continue functioning as before, but simply receive no further software updates. Continuing in service after End-of-Life is the easiest option for manufacturers to implement: they simply stop providing updates once it's no longer feasible or economical. Old tablets, mobile phones, connected picture frames, smart appliances, routers, drones, etc. can continue in useful service long after they become unpatchable. They can rot in place or be passed on to other users. This afterlife option leads to zombies.

The second option is to brick old devices. For example, manufacturers could design devices that put themselves into a non-functioning state if they have not been patched for some period of time. Perhaps the device would boot into a mode that is capable of receiving software updates, but not of completing its primary function. This afterlife option keeps dead devices dead, by bricking them. Bricked devices don't participate in attacks. With good design, they would also be unable to leak personal information.

But there is a major downside.

The people who paid for the now-bricked device may balk. Customers pressured Sonos to disable Recycle Mode, which bricked old devices. Sonos backed away from bricking old devices and now suggests that users manually reset them at disposal time instead.

A third choice is to open the device to community support once manufacturer support has expired. This can take several forms including open-sourcing old firmware, unlocking bootloaders to accept third-party firmware, or  not objecting to third-party security patches for End-of-Life devices. Devices could then be resuscitated by the community. Unfortunately, any devices that don't have a healthy community would still wind up as zombies or as bricks.

None of these models is appropriate for every single device. There is no one-size-fits-all model, and the ones presented here aren't exhaustive. Each manufacturer chooses the impact that their old devices have at End-of-Life and afterlife.

What can be done?

Consumers can ask the device manufacturer what its End-of-Life and afterlife plans are before making a purchase. They can ask how long the manufacturer will commit to releasing patches and what steps will result in secure disposal that prevents discarded devices from leaking personal information. They can ask whether their old devices will end up as zombies, bricks, or something else entirely.

Ideally, IoT manufacturers would voluntarily disclose the after-life plan for their devices prior to sale. They could explain that a particular device will eventually be unpatchable and will then move into one of the after-life modes described above or a different mode entirely. Informing the consumer allows them to decide how they plan their deployment and replacement plans and it can also inform electronic recyclers of the safe disposition options for retired IoT devices.

How do we get there?

At Akamai, we offer services that protect our customers from DDoS attacks, so we see the malicious traffic generated by these IoT botnets. Using our visibility into these attacks, we have worked to shut down individual botnets or to mitigate the harm they have caused.

In response to some of the larger IoT-botnet-based attacks, the Consumer Technology Association brought Akamai and several IoT device manufacturers together to try to prevent the creation of these types of botnets. Since then, we have worked to define a security standard that we hope will make new IoT devices more resistant to attackers who try to use them in botnets. This standard, CTA 2088 is expected to be available in early November 2020 at https://shop.cta.tech/collections/standards. The current draft of that standard includes requirements for improving the baseline security of connected devices, from development to deployment, from service through End-of-Life, and beyond.

Article Link: https://blogs.akamai.com/sitr/2020/10/exploring-the-iot-afterlife.html