Alexei Balaganski - The Sorry State of Consumer IoT Security and How Can We Possibly Fix it

The internet of things, what is it? And what part of it is the consumer internet of things? Well, first of all, let's define the internet of things as a universe of all devices, which are smart. Basically they can do something random, fairly limited embedded computer hardware. They are always connected to the internet and they are mostly owned or operated by consumers. And of course they are insecure by design around the scale of consumer IOT is actually mind boing because it has exceeded the, I mean, the number of devices in the consumer segment of the IOT alone has exceeded the world's population 10 years ago, and it's continuing to grow exponentially and it's expected that by 2020. So in less than two years time, the market size will probably reach to somewhere around 50 billion for just that year alone, over two thirds of all consumers around the world, probably already own or plan to own at least one 30 device.
Some of them maybe even not know at all that they already own. One. There was an interesting study done by an American company last year, which has a estimated that nearly half of all American consumers explicitly worry about potential compromise of their security or safety or privacy through such a smart device. And yet vast majority of them have actually no idea what exactly an IOT device is. And how far have they entered their daily lives? Before I prepared this presentation, I've made my own inventory. Basically I looked around my own apartment where I still live alone. Probably one of the reasons why I still live alone is that I have no less than 24 IOT devices in my apartment alone. Those are just those. I actually know that I can manage. I have strong suspicions that there is one device in my electric meter and the gas heating device, but unfortunately I have no control over them at all. And that, of course not including any smart but stronger devices like mobile phones, computers, and so on.
And naturally this are huge fleet of devices, which controls all areas of our lives and has nearly no built in security have led to massive number of threats, which expand, extend beyond just the consumer market and enter the enterprise segment. Basically it affects everyone on this slide. I've listed a short history of one of the probably most well known IOT, consumer IOT threats, the botnets the first more or less while they publicized one was discovered back six years ago in 2012, it was largely an academic project which exploded exploited Linux embedded devices did no harm. It was basically doing a survey of the internet of things, but unfortunately the next one was already much more harmful starting with best light, which exploited well known vulnerability in the Linux shell four years ago, kind the primary purpose for an IOT botnet has been doing DDoS. The denial of service attacks across the internet the most well known is definitely Mik, whatever you call it or the bot, which has targeted hundreds of thousands of devices like cameras are mostly consumer owned, mostly unprotected and without any passwords, it also did not help when its source scored was leaked and a huge number of derivatives have been created.
And one of those probably most well known to German visitors of our event was that debacle of D telecom, where one of the has crashed or nearly a million of internet home internet truths can basically put in nearly a million of Germans of the internet for quite some time. The most recent one is definitely the VPN filter botnet, which is still active. It's still out there and it's not just doing DDoS. It's much more sophisticated. It's known to be stealing, to steal personal data just by sniffing network or even crawling through network devices. And of course all the recent political climate, no highly likely that the Russians did it well as a, at least a born Russian, I have very mixed feelings mixed of kind of strange pride and shame at the same time. Well, I have learned from the earlier keynote, I have to say, I am deeply sorry about that.
Well, the next one of course is our plethora of privacy threats, which are consumer IOT devices are caused to consumers. First of all, nobody, almost nobody treats an IOT device, a smart cattle, a doll, or a connected TV as a computer. So it, it must be saved that cannot be a virus for a ticket, right? Unfortunately there can be definitely. And again, five years ago, it has been discovered that again, a very suspiciously looking Chinese company has sold smart Les with spy chips installed, which record sending out malware and spa and still personal data. However, the more recent examples include, I would say much more troubling things.
That's again, that was a widely publicized case here in Germany. A few years ago, among my friend Kyla dos, who were not just kind of leaking personal data or lacking the most basic security controls, which could be exploited. They were actually actively engaging with children asking them personal questions, like what are your parents' names, pets names, and recording those information and linking it somewhere to the world without any consent could be, could have really troubling consequences. And I'm glad that it was actually banned here in Germany, SP R tools. The next one was just last year or the cloud patch, again, a smart toy cuddly bear or something like that. Not only was it doing the same kind of passive voice monitoring, it would actually be hacked. And it was demonstrated that it could be made, you know, telling creepy stories to children, scaring them for every parent around here, I guess it at least a little bit troubling. And the latest one, probably the most why publicized one, the Alexa caught is dropping on people, actually recording a totally unrelated conversation and leaking it to third party person. It was blamed on the rare combination of accidents. Like some keyboard mistaken for Alexa, send my record into a friend sounds studio, but unless what can we say? It cannot be problem anyway, massive privacy problems, massive data leaks, and absolutely no control over the consumer data safety or the extent of it being shared with third parties. And there are nobody is responsible.
There are of course physical safety concerns as well. Probably again, the most well known one was the remote hack over Jeep, which was done by security researchers three years ago. I've read very dramatic article about a report who was actually caught driving on the highway with his engine and brakes disabled. And he was lucky he was uphill because otherwise it could have led to a very tangible physical crash and these tools or open source. They are part of an academic research project. Everyone can use them, modify them and create their own exploits. Again, another more troubling, more physical, more health related cases, which were covered recently, the baby heart monitor.
It's a home device. It's not a proper medical device. So it likes even the most basic security controls. Anyone just with a drive by wifi device could disable remotely kind of completely negating the whole purpose of monitoring your payment health remotely with the potential set consequences, even more set could be the consequences of remotely disable in the heart pacemaker. And again, only after public disclosure and public pressure on the manufacturer, he was actually forced to admit that yes, the issue exists and there was a pitch. But imagine that you have to actually go to a hospital and potentially have a, hopefully a small operation to have your part of your body pitched for a security update.
There is a lot of other potential threats on this slide. I've just included a graph of another research done by park associate last year. Basically it's not just the potential problems which can happen. It's are the problems which have been reported and covered on the general media kind of broadly enough for consumers to take notice and explicitly express their worries. Again, that 20% of people can actually believe that smart TV can have a virus after all. I don't know. It's somewhat comforting to me, the security Analyst, but on the other hand, 20% is nearly not, not enough. So what are the reasons why do we observe this sad state of consumer security? Well, first of all, obviously kind of, there was a boom of putting smart functionality in every device was the recent years smart. Sounds cool. Smart sales secure. Unfortunately not nearly as much.
Again, these smart devices, TVs, fridges, microwaves cars. They are not perceived as it device. It's not a computer. So people selling them, people buying them have absolutely at least they start expressing concerns when it's almost always too late, they are always connected. And as they're always most often left unchecked, you never know what's going on under the behind that blinking red L a D in your, in the corner of your room, but it may very well be recording everything, transmitted everything to, well, let's say China, Russia, but actually anywhere in the world, most of those are produced in south Asian countries designed from cheap commodity hardware kit or so basically people making them people designing them, have no idea how the, those internal things are working. And of course they have no experience, no expertise of even thinking about bolting, some kind of security on top of those kit.
They often rely on outdated open source components. And as much as I love the concept of open source, the open source and security do not mix well. We know that from the present storage bit, open SSL bash and plethora of other security problems. Again, very limited developer qualification. You basically get a kit. You put some plastic case in on top of it. You run some open source cloud servers somewhere, hopefully outside of China and you put it on the market. But the worst that there is very limited liability for abuse and negligence here, there is no regulations. Most of the so-called digital goods are not covered by existing physical safety regulations. So there is absolutely no reason for any manufacturer to even think about investing in cybersecurity.
So what are the actual risks? What are the problems again? Persistent internet connectivity is probably the biggest one. Unfortunately, most of our smart devices are not designed to work without that connectivity with the recent adoption cloud services. Now, even the, the, the simplest and the dumb, the dumbest smart tool like remote controlled power outlet. For example, it won't work if you, if you don't have a persistent in that connection, which I found the hard way myself and I have a box in the corner of my seller, where I keep those discarded Chinese made smart IOT devices, insecure communications. Again, that connectivity is almost never has even the basic protections like SSL. And even if it has it's will very well be the outdated version known to be compromised. We could default credentials, probably the most widespread one. Every device you buy. It has a, if at all, it would have a admin admin login or one to three for five, and probably the worst majority of the users would never even think about changing it, unprotected data storage, any data which is stored on the device locally and easily be extracted from the device, just assembly and taken out a smart card, a storage card.
And it'll probably never be encrypted as well. Back doors, mostly unintentional, like those route accounts, developer accounts, almost every hardware IOT kit has a serial console for debugging. And the console is almost always left, connected and active. So you just need to buy a cheap cable and then you can hack your Alexa device or your smart doll or your fridge, whatever you like. And again, unprotected backend, not only they are unprotected because of negligence and lack of expertise. Sometimes they are actually unprotected on purpose because again, those companies, they probably earn more money from selling your collected data to third party than from the actual hardware where the margin is so small.
Let's talk about basic IOT, the consumer IOT hygiene. Obviously the most sensible advice here is just don't buy those devices. Do you really need a smart tea Kele? Is it really so important for you to have a cattle kind of boiling waiting for you when you come home? You'll probably save a minute of your time, but you'll lose a lot in exchange. Again, you have always know which devices you have at home. I can see myself a little bit above the average kind of computer and security skill level consumer, and still I've only found 24 devices at home. And there is definitely more, just a couple more where I actually have no idea what they're doing because I have no control. Of course, you always have to have strong credentials. You have to change the default password for every device, even those devices, which you probably assure that you never ever connect to the internet and use in a smart mode, like a fridge, regular updates are whenever possible network installation, whenever possible. That's already a very or advanced level where most of consumer devices won't even give you such opportunity. And of course our, the most hardcore consumers have to actively look for IOT security tools.
I just included this one of my favorite comics about make, upgrade procedure quick and painless. Unfortunately for most IOT devices it's procedure the same, the only way to actually update it or make it more secure is to throw it away and get a new one and hope that the new one is better. It's it's not more often than not. So let's talk about IOT security products, the biggest problem either cause that there aren't many out there and those that are aren't very capable. Again, it probably has very little relationship to the topic on the other speakers, which will follow me today. But when you think about it, maybe that's exactly the reason why there are so few consumer security products out there that because we are not talking about them enough. So let's, I mean, I'm doing my part most obvious. Most is the most primitive.
And at the same time, the most accessible to anyone are software tools. There are actually some free tools or most often often by your traditional anti malware vendors. If you can install on your computer on your phone and just keep that inventory of your IOT devices, just knowing that you have 24 and not five, as you initially thought is already a great step towards securing your smart home. I want you or vulnerabilities isn't at least that you know, that you should throw away that smart plug because it's it's hopeless. You cannot actually fix normal vulnerability.
Slightly higher level would be hardware firewalls. It's typical a device I've included a few picture on the right side device, which would block in between your existing, which you get from your internet service provider and the rest of your network. And that claim that would, of course, those devices are AI and machine learning based and whatnot. And they would claim that they do about the same job as the software, but being in line. They actually can not just detect those risks, but actually prevent them. I have very mixed feelings about those devices and there are very, the few early players on the market. To me as a again is a slightly more security conscious as an average person, the consumer myself, I would say there are definitely not worth the money yet, but let's hope it will improve. And finally, probably the only hope for the future for us is, are the hybrid platforms, which usually combine some security analytics, which we know from the enterprise segment running there in the cloud with some kind of local agent running directly on your router, the one you get from your internet service provider, there have been some really exciting, at least exciting to me as an Analyst development on there.
Unfortunately they all suffer from the same problem, very low market penetration. You actually, I mean, unless a company like do Lecom or unity media, which is my service provider actively decide to incorporate that software into their routers and then invest lots of money into replacing their legacy ones with the new models, they will never reach our homes.
And or those of you have who have ever listened to my earlier webinars who probably know rest. I, I am a big fan of our government regulation, obviously being born in the Soviet union. That kind of part of my DNA, I guess. And, but I was actually very happy and really kind of SMU a little bit last week when I read an article published by a very famous security research proof style, who basically, I would say for the first time, in a really long time, it was probably the first major, well known worldwide security expert explicitly say saying the same thing that for nearly every industry we can look or in the past security never worked, unless it was forced by the government. So me and BNY, we are in this together, right? There have been some traditional consumer protections and safety laws. Of course, for years, unfortunately they to not work on the nonphysical goods on the nonphysical risks, there have been privacy and data protection conditions.
The obvious one is GDPR. So we finally, there is at least one thing which we can point the finger at and say, you see Chinese conceive my manufacturer consumer device manufacturer. If you want to sell it to the EU, you at least have to think about it. And unfortunately the private regulations are definitely not enough. There has to be something put on top of that in the area of the pure play security. And of course those regulations aren't actually that effective outside of the EU. There have been some interesting development recently, the most obvious one the most well known one is the, the so-called parts, what law in California, the, the actual law, probably the first one, anywhere in a major geography that explicitly postulates some reasonable security measures to be built into every consumer device. Again, great news first step towards the right direction.
Unfortunately, it's only in California and it's only starting in 2020, so it's still better than nothing. And this is actually my last slide. The summary is, first of all, obviously IOT is not, it, it has very different safety regulations. It has very different business and security and privacy risks, at least from the point of view of consumers. So whenever we are talking about IOT and consumer IOT security, we really have to think more in terms of the traditional physical safety and the traditional industrial safety. So it's actually more like consumer OT in a way we need better education to make, to finally make consumers actual the driving force, the business, the tangible business benefits for manufacturers to invest into security. And then again, without strong regulations, it'll never work. So can we please keep fingers crossed for the consumer digital security regulations in the European union? And that's, that's it from my side. Thanks a lot. And we have a couple of minutes for eventual questions, anyone. Okay. Well, thanks to me. Thanks to you. And let's continue with our next presentation.