back to article The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes

No less than 98 per cent of traffic sent by internet-of-things (IoT) devices is unencrypted, exposing huge quantities of personal and confidential data to potential attackers, fresh analysis has revealed. What’s more, most networks mix IoT devices with more traditional IT assets like laptops, desktops and mobile devices, …

  1. Anonymous Coward
    Anonymous Coward

    Looks like there's even more money to be made by mining the US HealthCare system

    "We analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States"

    "Most notably, the report reveals that 83% of medical imaging devices are running on unsupported operating systems. This reflects a 56% jump from 2018 due to the Windows 7 operating system reaching its end of life, leaving hospital organizations vulnerable to attacks that can disrupt care or expose sensitive medical information."

    1. Charles 9 Silver badge

      Re: Looks like there's even more money to be made by mining the US HealthCare system

      So IOW the only practical solution to secure medical IT is to "spend, spend, spend" in the face of complaints of "budgets, budgets, budgets". Especially when it comes to medical equipment like imaging devices, which often come with legally-mandated compliance requirements which mean to upgrade the OS you have to upgrade the whole machine: a six- to seven-figure prospect. Again, "budgets, budgets, budgets"...

      1. Pascal Monett Silver badge

        Agree totally. I fear that the medical sector is basically screwed. Their IT might have been installed by competent people, but their equipment was installed by the vendor who just needed to get the thing on the network and didn't care about security or firewalls. IT is a process, not a thing, and you need to have the competence on-hand, not a consultant dropping in every now and then.

        If anyone can just plug a new thing into the network and there is no authorization to prevent that (I'm talking network authorization, not administrative), then your network will soon be an inextricable hodge-podge of stuff without either overview or oversight.

        Then you have the problem that medical staff need to have access to all that eminently personal data to do their jobs, and they simply can't spend all day entering passwords or shoving tokens onto readers. They need free access to the data and if they have it, then an attacker can easily get to it as well.

        Add to that the lack of money to upgrade anything and I really don't see how this will end other than in tears.

      2. big_D Silver badge

        Re: Looks like there's even more money to be made by mining the US HealthCare system

        It is not just healthcare. In industry, it is the same story. Why replace several million Euros worth of plant equipment, just because the PC that runs it needs XP or Windows 7? We just isolate the kit or remove it from the network completely.

      3. Alan Brown Silver badge

        Re: Looks like there's even more money to be made by mining the US HealthCare system

        "Especially when it comes to medical equipment like imaging devices, which often come with legally-mandated compliance requirements which mean to upgrade the OS you have to upgrade the whole machine: a six- to seven-figure prospect."

        There's usually no technical reason why you'd need to replace the entire machine if you replace the control system - but it happens to be a great way of forcing sale of hew hardware (== "PROFITS!")

        The EU and others need to look into this stuff and start mandating legal liability on the suppliers and $stonkinglylarge fines targetting the C-level staff if they're not dealt with. It's not just medical equipment either. There's a lot of SCADA stuff out there which has no business being connected to the Internet which has vendors insisting on network connectivity

    2. one crazy media

      Re: Looks like there's even more money to be made by mining the US HealthCare system

      Probably all across the world not just the US, since these devices are used all over the world.

      When you do dumb things, you get the dumbest result of them all.

  2. kmedcalf

    Vendor Advertizing

    Sounds like Vendor Advertizing, given that support provides no actual value. ("support" is a marketing term meaning "make money from").

    1. Anonymous Coward
      Anonymous Coward

      Re: Vendor Advertizing

      I know that a large number of medical device manufacturers use VxWorks (with its built in security, over the air updates, very long support, etc) and yet it does not get on to the charts at all. Maybe it was too secure for the testers so they ignored all of those devices?

    2. Wellyboot Silver badge

      Re: Vendor Advertizing

      Palo Alto (purveyor of expensive firewalls) pick a sector where OS replacement is a non trivial affair due to the hardware it's running then release a report (a few weeks after the once biggest desktop OS goes EOL) saying 83% of everything you have is vulnerable.

      Is that the sun rising in the east this morning...

  3. Anonymous Coward
    Anonymous Coward

    1. Make loads of IoT devices with poor/no security

    2. Sell for peanuts

    3. Hack away

    4. Profit

  4. Len Silver badge

    Name and shame

    My Tado smart thermostat advertises with its encryption.

    Data encryption:

    TLS 1.2 (SSL), 2048-bit Extended Validation Certificate / TLS 1.2 (SSL), 256-bit elliptic curve encryption / AES-CCM encryption

    Perhaps it’s time we name and shame those devices that still transmit unencrypted data. Focus on a couple of big names first and make them aware that it will hurt their reputation if they don’t get their act together.

    1. kmedcalf

      Re: Name and shame

      Ah, but do they also advertize:

      (1) Every device uses the *SAME* keypair

      (2) The keypair can be trivially located in the firmware

      (3) Anyone can download the firmware

      (4) Everyone has the keys

      (5) The Encryption is for "Theatrical" purposes and only increases unreliability while providing no actual "safety" or "security"?

      1. Alan Brown Silver badge

        Re: Name and shame

        (2) The keypair can be trivially located in the firmware

        The keypairs for virtually all Hisilicon-based network video cameras/DVRs are viewable in plaintext - including a private signing key

        (Hint: if your CCTV system uses any kind of "XM" software, yer already pwned, you just don't know it yet.)

  5. Version 1.0 Silver badge
    Facepalm

    But the current government postion is to ban encryption.

    "...US government's ongoing efforts to demonize encryption for leaving law enforcement in the dark and AG William Barr's public opposition to encryption, technical experts expect the guidelines will force technology platforms to avoid encryption..." - El Reg

    1. Pascal Monett Silver badge

      Re: But the current government postion is to ban encryption.

      Yep. That's going to be an interesting debate the next time we hear of a hospital having been hacked because of lack of encryption.

      I wonder how the politicians will spin that ?

      1. kmedcalf

        Re: But the current government postion is to ban encryption.

        Well, it was to prevent Child Pornography. After all, you can put a child in a CT Scanner and create pornography. We must no allow encryption to protect Child Pornography, so all such encryption must be banned.

        And it worked. That CT scanner can no longer be used to make child pornography!

  6. Blackjack

    Heh....

    Looks like the toaster stealing your wallet is no longer a joke.

  7. Flak
    Coat

    The gulf between capability and implementation

    Many devices have the capability to be securely connected and communicate securely - but it is often the implementation that is found wanting:

    Default passwords not being changed

    Multi-purpose flat LANs or open inter-VLAN routing rather than network segmentation

    Patching of OS and firmware

    I get the point about some devices running on old OSes - surely equipment contracts particularly in the healthcare sector come with maintenance regimes - a current, patched and secure OS must be part of such contracts.

    The same applies to networking equipment.

    1. Wellyboot Silver badge

      Re: The gulf between capability and implementation

      This is where actual effort is required to make things more secure, but this runs slap into the users wanting 'Anything, Anywhere, Anytime'

  8. VibhorTyagi

    IoT Used Through Malice

    The thing is that IoT exists in a similar buzzword-sphere as Artificial Intelligence does. Although it is not what it should be currently, miscreants who engineer AI, can easily disrupt your life as you know it. Slowly, but steadily, they might be able to engineer AI that literally holds you, and your data, hostage.

  9. Anonymous Coward
    Anonymous Coward

    If you think IoT is a privacy or security problem.....

    ....then you need to read this:

    - https://www.bloomberg.com/features/2018-palantir-peter-thiel/

    ....and there are LOTS of companies like Palantir out there....all hoovering away....births, deaths, marriages, credit ratings, mortgage records, DNA results....and all this is being done FAR AWAY from IoT devices on your local LAN.

    Be afraid, be very afraid!

  10. Andrew Yeomans

    Supported or vulnerable?

    "Not supported" doesn't mean the device is vulnerable, just as "supported" doesn't mean it is secure. The survey states "57% of IoT devices are vulnerable to medium- or high-severity attacks" which is worrying. However it doesn't distinguish between the vulnerabilities due to poorly configured devices (which can be fixed quite easily) and vulnerabilities that require software update to fix.

  11. 0laf Silver badge

    I'm not sure we should be lumping in multimillion pound medical imaging scanners with £5 Amazon tat. A scanner is worth investing some time and money into securing to allow its ongoing use. Your Amazon dogfood reorder dash button we can probably survive throwing out with the rubbish.

    1. Anonymous Coward
      Anonymous Coward

      we bought a several million pound MRI machine from tone of the larGEr medical device manufacturers last year and that was still running XP embeded

      its not always their fault, as getting these things through approval processes can take upto 10yrs, that means even if the OS was State of the art when they started it would probably be state of the Ark by the time it was approved.

      1. Alan Brown Silver badge

        "We bought a several million pound MRI machine from tone of the larGEr medical device manufacturers last year and that was still running XP embeded"

        And who, exactly, didn't specify that the OS/firmware within this piece of hardware MUST be secure, and able to remain securable for the projected 15-20 year life of the device, including against any exploits which may show up in future

        That's the person in YOUR organisation you send the bill to.

        1. Charles 9 Silver badge

          And then you get the reply, "No Offers At Any Price," and the higher-ups are expecting you to get your devices in gear yesterday...

    2. stiine Silver badge

      re: multimillion pound medical imaging scanners

      And yet, they aren't.

  12. This post has been deleted by a moderator

  13. Anonymous Coward
    Anonymous Coward

    especially easy things like printers

    Well, when said patch do exist ... My shit Canon printer got one the first 3 months I owned it, then fuck all ...

    Well, like any IoT I presume ...

  14. big_D Silver badge
    Holmes

    The "S" in IoT

    stands for Security.

    Nuff said.

  15. tip pc Silver badge
    Facepalm

    Ipv6

    Of course ipv6 will make it far easier to secure these iot devices won’t it.

  16. sorry, what?
    Devil

    "I do Internet of Things, me"

    That self-defining label for anyone using IoT.

  17. Kev99

    Well, DUH! Anyone with an iota of knowledge would know the 'Net is just a bunch of holes held together with string and that the "Cloud" is nothing but a bunch of holes held together with vapor. Why anyone in his/her right mind would want to expose their personal activities to world is beyond me. What if that person had to have a special diet? Whoops. Igor from South Slobovia just changed the recipe. How about that special door lock you can control with your phone? Sorry, Charlie just cracked it and you'll find your good at the local flea market.

  18. Anonymous Coward
    Anonymous Coward

    Simple fix for IOT....NOT (Network of Things)

    Hospital equipment should be conneected to a local only network so security updates aren't an issue. If data needs to made accessible online, it should be transferred by a safe channel to a secure internet connected server.

    1. Charles 9 Silver badge

      Re: Simple fix for IOT....NOT (Network of Things)

      Then the server gets hacked or someone in desperate need to jump hoops bridges networks. That's what you're up against.

  19. RLWatkins

    I hate to be "that guy"...

    ... but I am thoroughly sick of hearing about the "Internet of things". An internetwork *connects other networks* to one another. If your things talk to each other, it is a *network of things*.

    And 99.9% of the time, despite what various rapacious data harvest... erm, vendors keep telling us, there is no good reason, none, to connect your network of things to the Internet, and a whole compendium of reasons not to.

    I can't even believe that people are still debating this. This is like installing a video camera in your bedroom, a monitor on a light pole on the nearest street-corner, then debating about how to maintain your privacy.

    Is hell full again? Are those the dead I see, walking the streets? And these people vote....

  20. Mike 137 Silver badge

    "83% [...] running on unsupported operating systems"

    I for one am not unduly confident about the value of "support" from vendors who consistently get their product so wrong that it needs constant support (aka bug fixes) for its entire operational life. It's all the vulnerabilities that haven't been patched yet that you should worry about.

    IT is not yet a mature engineering discipline, and for that reason it's being deployed too widely and too soon for safety.

  21. Will Godfrey Silver badge
    Unhappy

    We are not the people needing to be told

    The ones that are, don't understand, and/or don't want to know.

  22. one crazy media

    Fundamentals

    1. Use your brain

    2. C-Suite, don't save money by sacrificing security

    3. Developers, you are not security experts, you only know how to call API's to make security (e.g., PKI) work, so listen to your security experts.

    4. Security team is on your side so, C-suite and engineering managers pay attention to what your security team telling you

    5. Don't use proprietary OS, pick an OS with widespread adoption and solid community support.

    6. Listen to your cloud service providers and don't think you can make anything cheaper, better and secappure than the CSP's

    7. Use certified container distributions, since most IoT applications use Container technology and micro services

    8. Secure all ingress and egress internet interfaces

    9. Secure all internal virtual network network interfa. Everces

    10. Use cryptography extensively

    11. Own and manage all your cryptographic key management ioperations and do not give to you third party. Every CASB has limitations and may provide you with false sense of security.

    12. Automate infrastructure and security deployments and verify all security controls are verified and cetified by your security teams.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fundamentals

      You assume too much:

      - Not everyone has a brain. It's optional in today's world, especially up top.

      - The C-Suite has investors to please, and they want their money yesterday or there'll be a shareholder revolt.

      - The security team may not be as competent as you think...if they're not actually acting against you.

      - Just because an OS is widely supported doesn't mean it's not vulnerable, and the bad guys only have to be lucky once.

      - It may not be possible to find or even secure all the possible interfaces out there (hidden ad-hoc bridges?).

      - Even if you house the "crown jewels" in house, how do you guard against moles and industrial spies?

      - How does one automate anything when there are legal requirements to have someone sign off on that kind of stuff for legal reasons? Plus there's the matter of the incompetent or traitorous security team...

  23. NStark

    IT security is not the same as IoT security (or OT). Context and protection varies...

    ... that means that not all practices are practical - or even helpful in IoT. For example, encryption is not always necessary hence baking it in law would not be a good idea (unlikely too as Governments - especially US - have not favoured strong encryption). Security is a moveable feast hence law needs to focus on security objectives and removing malpractice not specific methods. Same point applies for 2FA - the access control authentication modality should be commensurate with the application.

    UK gov is looking to regulate for consumer IoT - includes passwords and patching - see https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products - not perfect but it's a useful start.

    The IoT Security Foundation published a paper on Healthcare IoT (and a few others) - see here https://www.iotsecurityfoundation.org/best-practice-guidelines/

  24. Anonymous Coward
    Anonymous Coward

    IT security is not the same as IoT security (or OT). Context and protection varies...

    ... that means that not all practices are practical - or even helpful in IoT. For example, encryption is not always necessary hence baking it in law would not be a good idea (unlikely too as Governments - especially US - have not favoured strong encryption). Security is a moveable feast hence law needs to focus on security objectives and removing malpractice not specific methods. Same point applies for 2FA - the access control authentication modality should be commensurate with the application.

    UK gov is looking to regulate for consumer IoT - includes passwords and patching - see https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products - not perfect but it's a useful start.

    The IoT Security Foundation published a paper on Healthcare IoT (and a few others) - see here https://www.iotsecurityfoundation.org/best-practice-guidelines/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020