Imagine reading a headline in tomorrow’s news that your neighbor’s identity was stolen and their savings were wiped out by criminals who entered through their “smart” washing machine.
Ridiculous, you say? Well, have you checked your own home Wi-Fi network lately?
You may have multiple connected household gadgets and other Internet of Things (IoT) devices connected wirelessly through an improperly configured router without firewall settings. Is the firmware up to date? Are the security patches up to date?
Still not convinced that this is a serious problem? Then consider this blatant example of how dangerous an obsolete device is.
In June, Western Digital My Book NAS owners around the world discovered that their devices had been mysteriously factory reset and all of their files had been deleted. My Book Live and My Book Live Duo are personal cloud storage devices.
When users of the WD product attempted to log in through the web-based dashboard, the devices responded that they had an “invalid password”. WD My Book owners could no longer connect to the device through a browser or app.
The My Book Live and My Book Live Duo products have suffered data loss due to a security incident, according to the Western Digital website. WD informed customers that the company will cover the costs of eligible users with products eligible to recover their data using Data Recovery Services (DRS) provided by a vendor selected by Western Digital.
The company has promised to cover the cost of shipping the qualifying product to the DRS vendor and for the data recovery service. All recovered data would be sent to the customer on a My Passport drive.
Western Digital has confirmed that “some My Book Live devices are compromised by malware.” The company also confirmed reports that this led to a factory reset which wiped out all data on some customer devices.
The My Book Live device received its last firmware update in 2015. Western Digital’s June 2021 statement suggested that users disconnect their My Book Live devices from the internet to protect the data on their device.
The My Book Live vulnerability shows that there is still a long way to go when it comes to IoT security. Much attention has been paid to the fact that these devices are not hardened or built according to best practices, according to John Bambenek, Threat Intelligence Advisor at Netenrich.
“In this case, we find that devices are designed to outlast their vendor’s support commitments; so not only are they vulnerable, but consumers cannot protect themselves either. Whether it’s data loss, ransomware or DDoS, these issues will continue to reoccur until vendors commit to protecting their customers, ”he told TechNewsWorld.
Defective business model
The original equipment manufacturers (OEMs) take no responsibility for this fiasco, as their aging connected devices are no longer for sale.
However, most customers are unaware that these devices in fact have an expiration date, and consumers are not warned of the dangers of continuing to use unpatched firmware, with countless obsolete connected devices waiting to be released. infiltrated by opportunistic attackers, suggested Asaf Ashkenazi, COO at connected device security firm Verimatrix.
“OEMs would either have to transform their business model to maintain a sustainable software update service or install more sophisticated technology that would make it much more difficult to hack these devices,” he told TechNewsWorld.
Ashkenazi doesn’t blame issues like Western Digital’s OEM industry fiasco squarely. The problem stems from the economic model. No standard exists to regulate how IoT devices should be maintained and secured.
“Unfortunately, I don’t see anything that addresses the standardization of security on these IoT devices. Maybe the government or consumer protection, or some companies, will decide to create a consortium that will say who is responsible, ”he said.
There is certainly a need for more transparency in terms of the level of software support on these devices. Nothing can be done to fix the problem until the industry decides to take up this challenge, he added.
Consumer education and pressure
It will take an educational outreach effort to make consumers aware of the dangers inherent in purchasing insecure IoT devices. This can then translate into the ability for consumers to consider device security as part of their purchasing decision, Ashkenazi suggested.
Most consumers are now unaware that endemic devices in their homes can be connected to the Internet through their wireless routers. If they have a device that connects to the network, they need to make sure that the device’s software is updated, he added.
“When the software is no longer updated, the device can be dangerous to use,” he warned.
The goal, according to Ashkenazi, is first and foremost to protect consumers. Then he hopes consumers will put enough pressure on manufacturers that companies will start saying how long they will support the software.
Apple, Google and other big companies say it for some devices. But for many other devices, companies after about six months stop supporting them. Consumers continue to use these discontinued devices because they otherwise appear to be working fine, he said.
Consumers need to be as meticulous as businesses when it comes to cybersecurity. Enterprise security teams understand that vulnerabilities come in all shapes and sizes, observed Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, an enterprise cyber risk remediation SaaS provider.
“In the case of Western Digital My Book Live devices, threat actors took advantage of a chain of circumstances to erase data from exposed hard drives. Consumers should have known to keep the player’s firmware updated and only connect players to the Internet when needed. However, where does the responsibility lie? On the consumer or on Western Digital? There is no clear answer, ”he told TechNewsWorld.
One of the biggest issues with IoT security today is that the rush to market often takes a back seat to the security measures that need to be built into our devices. This problem has made many IoT devices handy fruit for criminals interested in stealing sensitive data and accessing exposed networks, noted Stefano De Blasi, Threat Researcher at Digital Shadows.
“Additionally, criminals can exploit vulnerable products by leveraging their computing power and orchestrating massive IoT botnet campaigns to disrupt traffic on targeted services and spread malware,” he told TechNewsWorld .
Cybersecurity blind spots
The security of IoT, or the lack of it, suffers from industry shortcomings. The main problem is that traditional vulnerability management tools don’t scan beyond the operating system. That way, they don’t detect any security issues or vulnerabilities in the firmware layer, according to Baksheesh Singh Ghuman, global senior director of product marketing and strategy at connected device security company Finite State.
“The secondary issue is with device manufacturers, who are often responsible for ensuring the security of devices despite the lack of proper security controls to check for firmware layer vulnerabilities,” he told TechNewsWorld.
It is important that manufacturers perform a thorough analysis for vulnerabilities of all kinds and, if they discover any, notify potential users of available firmware upgrades and patches, he recommended.
“It’s a very reactionary process, unlike the automated proactive process found in enterprise vulnerability management practices. Due to these factors, firmware vulnerabilities are often overlooked and become cybersecurity blind spots that attract the attention of threat actors, ”said Ghuman.
Complicated IoT security
Depending on the industry and application, a patch delivery may not always be available. In the case of consumers, patching is a dual process, according to Ghuman.
First of all, the device manufacturer needs a standard upgrade process in place to send upgrades / fixes to their devices. The second step requires educating consumers about the need to upgrade and patch vulnerabilities.
“It’s quite difficult because it requires constant reminders and education regarding cybersecurity hygiene,” Ghuman said.
Device makers can take a few steps to avoid more episodes like the Western Digital dilemma, he suggested. These include:
- Ensure that a product safety group is present within their organization;
- Integrate firmware layer vulnerability management as part of their overall product development and product security programs, so that they can detect firmware layer vulnerabilities before they are distributed;
- Proactively search for exploitable vulnerabilities in their firmware and, if discovered, quickly develop fixes; and
- Have a standard, secure firmware upgrade process that sends out fixes as they become available.
The trend for consumers to prioritize digital-first interactions will increase the landscape of potential threats that can be targeted by attackers, observed Tyler Shields, CMO at JupiterOne. More apps, more data in the cloud, more digital experiences, mean more targets of opportunity and luck.
“There will be a continued increase in data compromise as we increasingly move our daily lives to the cloud. We’re just starting to see the expansion of digital experiences and the attacks that will develop alongside them, ”he told TechNewsWorld.
Safety has always been balanced with ease of use. The cybersecurity provider community should strive to create easy-to-use cybersecurity experiences that provide an acceptable level of security for technologies consumers demand, according to Shields.
The move to single sign-on and passwordless authentication is a good example. Users have failed to maintain proper passwords for decades, and that situation will never change. Therefore, innovation must create an easy-to-use alternative that offers proper security with a much better user experience.
“Businesses need to find the right balance between technological innovation and security for traditional models,” he said.