End of the line, Internet of Things

Most gadgets and devices have an expected end of life; the Internet of Things is no different. Whether it’s because of outdated hardware, or software that’s no longer supported, all IoT devices will eventually become obsolete.

What does this mean for people who could well have a house full of IoT bits and bobs?

The IoT is still in a very early stage of existence and as you may have gathered from our blogging activity, a lot of it is seriously insecure from the get go. We’ve found faults with Cameras, Kids Dolls, Kettles, Thermostats and even Christmas lights. Luckily we manage to help a lot of vendors with their various issues and they generally respond positively and fix things.

There are cases however where vendors we have disclosed to decide that their product is at it’s end of life. So, even though consumers can still get them from outlets such as Amazon those devices aren’t supported, and continue to carry security and privacy risks.

A classic example is the case of TP-LINK’s TL-SC3230 IP Surveillance Camera kit. We reported a CSRF to them that allowed remote compromise of the video stream. Their response was that the device was no longer supported, so they wouldn’t be fixing it!

Is that a good plan? To allow your customers to be attacked and your brand to be damaged, rather than fixing your insecure coding mistakes?

Now, a vendor not fixing issues because they’ve replaced a product with something more up-to-date MIGHT be okay for something cheaply replaceable such as an IoT kettle. But let’s say we are talking about a £1,000 IoT home security system.

Is a manufacturer going to turn around in 5 years’ time and say “Yeah… Sorry this security camera as part of the security system is at it’s end of life, we won’t be fixing it, even if it does have remote code execution that allows an attacker to steal your video feed”. The answer is most likely a yes, as unfortunately many vendors do not take responsibility for vulnerabilities at an end of life stage.

What does this mean?

It means that potentially in 5+ years’ time when IoT devices have saturated the planet, and many are at their end of life we’ll have an attacker’s playground. We still see it today with average joe computer systems, where users are attacked due to missing patches, or even still running Windows XP- which effectively reached it’s end of life in April 2014 and hasn’t been supported since. Bear in mind that personal computer numbers will be small fry compared with what we’ll be dealing with when the IoT is in full swing.

Remember Mirai from not too long ago? You’d better be ready for something much bigger! A bigger botnet, more targets, more data loss and a whole load of potential for suing vendors for not patching their devices.

In December 2016 Samsung had an issue with their Galaxy Note 7 devices where they would catch fire. Due to the extreme nature of this issue they forced an update to all devices that stopped them from charging and eliminated their ability to work as a mobile device in order for the customer to send them back. Is this a possibility for IoT devices when they have extreme vulnerabilities, surely not?

Imagine having your household IoT lighting system turned off because you need to bring the bulbs back. That’s not going to be good, who even has candle sticks anymore? Or your central heating gets killed; married couples might have to have a cuddle again, madness.

My prediction

Users can’t expect software updates for life, as end of life is determined by the financial viability of a particular technology or gadget.

One solution could be that software updates will be available on a subscription basis. If you want to be secure and keep your devices up to date, you will likely need to pay for the privilege.

This would benefit vendors as:

1. They protect their brand as they have updates stopping issues and it is the consumers fault for not patching devices
2. They still have an income from older devices

What are the alternatives?

One option could be to somehow air gap your devices from the internet- much like what we used to see with industrial SCADA systems.

Have a secondary LAN in your house, just for IoT devices, so that your personal devices and data are not affected if attackers were successful. This would also save you a fair amount compared to a subscription service.