Imagine reading a headline on the news tomorrow stating that your neighbor’s identity was stolen and his life savings wiped out by criminals who entered through his “smart” washing machine.
Ridiculous, you say? Well, have you checked your own home Wi-Fi network lately?
You may have multiple connected home devices and other Internet of Things (IoT) devices connected wirelessly through a misconfigured router with no firewall settings. Is the firmware up to date? Are the security patches up to date?
Still not convinced that this is a serious problem? Then consider this glaring example of how dangerous an outdated device can be.
In June, Western Digital My Book NAS owners around the world discovered that their devices were mysteriously factory reset and all their files were deleted. My Book Live and My Book Live Duo are personal cloud storage devices.
When WD product users tried to log in through the web panel, the devices responded that they had an “invalid password.” WD My Book owners were no longer able to log into the device through a browser or app.
The My Book Live and My Book Live Duo products experienced data loss due to a security incident, according to the Western Digital website. WD informed customers that the company would cover the costs of eligible users with qualified products to recover their data using data recovery services (DRS) provided by a provider selected by Western Digital.
The company promised to cover the costs of shipping the qualified product to the DRS provider and the data recovery service. All recovered data would be sent to the customer on a My Passport drive.
Western Digital confirmed that “some My Book Live devices are being compromised by malicious software.” The company also confirmed reports that this has led to a factory reset that erased all data on some customer devices.
The My Book Live device received its last firmware update in 2015. Western Digital’s June 2021 statement suggested that users disconnect their My Book Live devices from the Internet to protect their device data.
The My Book Live vulnerability shows that there is still a long way to go in IoT security. Much attention has been paid to ensuring that such devices are not hardened or built according to best practices, according to John Bambenek, a threat intelligence advisor at Netenrich.
“In this case, we see devices being built that are meant to outlast their vendors’ support commitments; therefore, they are not only vulnerable, but consumers are also unable to protect themselves. Whether it’s from data loss, ransomware or DDoS, these issues will keep recurring until vendors commit to protecting their customers, ”he told TechNewsWorld.
Flawed business model
Original equipment manufacturers (OEMs) are not responsible for this fiasco, as their old connected devices are no longer for sale.
However, most customers are unaware that these devices have an expiration date, and consumers are not alerted to the dangers of continuing to use unpatched firmware, with countless outdated connected devices waiting to be infiltrated by opportunistic attackers, he suggested. Asaf Ashkenazi, COO of Connected Device Security Company Verimatrix.
“OEMs should transform their business model to maintain a durable software update service or install more sophisticated technology that would make hacking of these devices very difficult,” he told TechNewsWorld.
Ashkenazi doesn’t blame problems like the Western Digital fiasco directly on the OEM industry. The problem is in the business model. There are no standards to regulate how IoT devices should be maintained and protected.
“Unfortunately, I don’t see anything that addresses the standardization of security in these IoT devices. Perhaps the government or consumer protection, or some companies, decide to build a consortium that says who is responsible, “he said.
There is definitely a need for more transparency in terms of the level of support for the software on these devices. Nothing can be done to deal with the problem until the industry decides to accept that challenge, he added.
Education and consumer pressure
An educational awareness effort will be needed to make consumers aware of the dangers inherent in purchasing insecure IoT devices. That can translate into allowing consumers to consider device security as part of their purchase decision, Ashkenazi suggested.
Most consumers now have no idea that endemic devices in their home can connect to the Internet through their wireless routers. If they have a device that connects to the network, they need to make sure the software on the device is up to date, he added.
“When the software is no longer updated, the device can be dangerous to use,” he warned.
The goal, as Ashkenazi sees it, is to protect consumers first. Then he hopes that consumers will put enough pressure on manufacturers for companies to start saying how long to support the software.
Apple, Google, and some other big companies say that for certain devices. But for many of the other devices, companies after about six months stop supporting them. Consumers continue to use these abandoned devices because otherwise they appear to be working fine, he said.
Consumers need to be as meticulous as businesses when it comes to cybersecurity. Enterprise security teams understand that vulnerabilities come in all shapes and sizes, observed Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, an enterprise cyber risk remediation SaaS provider.
“In the case of Western Digital My Book Live devices, threat actors took advantage of a chained set of circumstances to erase data from exposed hard drives. Consumers should have known to keep drive firmware patched and only connect drives to the internet when necessary. However, where does the responsibility lie? At the consumer or at Western Digital? There is no clear answer, “he told TechNewsWorld.
One of the biggest issues with IoT security today is that the rush to get to market often takes priority away from the security measures that need to be built into our devices. This problem has made many IoT devices readily available for criminals interested in stealing sensitive data and accessing exposed networks, said Stefano De Blasi, a threat researcher at Digital shadows.
“Additionally, criminals can exploit vulnerable products by harnessing their computing power and organizing massive IoT botnet campaigns to disrupt traffic on specific services and spread malware,” he told TechNewsWorld.
Cybersecurity blind spots
IoT security, or the lack of it, suffers from industry shortcomings. The main problem is that traditional vulnerability management tools do not scan beyond the operating system. Therefore, they do not detect security issues or vulnerabilities in the firmware layer, according to Baksheesh Singh Ghuman, senior director of global product strategy and marketing at the connected device security firm. Finite state.
“The secondary issue involves device manufacturers, who are often in charge of performing device security even though they commonly lack the proper security controls to look for vulnerabilities in the firmware layer,” he told TechNewsWorld.
It is important that manufacturers conduct a thorough analysis of vulnerabilities of any kind and, if they discover any, inform potential users about available firmware updates and patches, he recommended.
“It is a very reactionary process, unlike the automated proactive process found in enterprise vulnerability management practices. As a result of these factors, firmware vulnerabilities are often ignored and become cybersecurity blind spots that draw the attention of threat actors, ”said Ghuman.
Complicated IoT security
Depending on the industry and application, providing a patch is not always available. For consumers, patching is a two-pronged process, according to Ghuman.
First, the device manufacturer needs a standard update process to implement updates / patches on their devices. The second step requires the dissemination of consumer awareness of the need to update and patch vulnerabilities.
“This is quite challenging because it requires constant reminders and education on cybersecurity hygiene,” Ghuman said.
Device makers can take some steps to prevent further episodes like the Western Digital dilemma, he suggested. Those include:
- Make sure there is a product safety group present within your organization;
- Incorporate firmware layer vulnerability management as part of their overall product development and security programs, so they can detect firmware layer vulnerabilities before they are distributed;
- Proactively scan for exploitable vulnerabilities in your firmware and, if discovered, quickly develop patches; and
- Have a standard and secure firmware update process in place that pushes patches as they become available.
The consumer shift to a preference for digital interactions first will grow the landscape of potential threats that can be targeted by attackers, observed Tyler Shields, CMO at JupiterOne. More applications, more data in the cloud, more digital experiences, mean more goals of both chance and chance.
“There will be a continued increase in data engagement as we move more and more of our daily lives to the cloud. We have really only just begun to see the expansion of digital experiences and the attacks that will grow along with them, “he told TechNewsWorld.
Security has always been compensated by ease of use. The cybersecurity provider community should drive the creation of easy-to-use cybersecurity experiences that provide an acceptable level of security for the technologies that consumers demand, according to Shields.
A good example of this is the switch to single sign-on and passwordless authentication. Users have not been able to maintain proper passwords for decades and that situation will never change. Therefore, innovation must build a user-friendly alternative that provides adequate security with a much better user experience.
“Companies must find the right balance between technological innovation and security for traditional models,” he said.