How our “Just Ship The Sh*t” mentality took down the internet
You’ve worked hard to bring your vision for a “smart” device to life, working through development, prototypes, and one too many late-night calls with China. But now your devices are part of the worlds largest sleeper cell, lying in wait to take down the internet on the whim of whatever rogue operator has the most money to pay.
Unless you’ve been living under a rock, you know that a few days ago, a calculated attack, orchestrated using compromised thermostats, surveillance cameras, and dvd players took down thousands of websites for a few hours.
How did this happen? Part of it was laziness, with people installing these devices using weak or easily guessable passwords. But another contributing factor was that a lot of these devices also had additional ways to login, and those login methods used the same password across millions of devices. The worst part? Most people, sometimes even the brands selling these devices didn’t know how compromised they are.
Could this have been prevented? Absolutely! Some people have pointed to a nefarious plot to take down the internet but really what caused this issue is people not asking the right questions. Picture this, you’re a reasonably wet-behind-the-ears product development guy turned entrepreneur on your first trip to China. You’re in Shenzhen, and maybe you took some of my advice about finding real suppliers, and you’re there sitting around the table, drinking tea and defining how you’re going to turn this firm’s smart device into your vision for the thermostat-o-tron.
The assumption that we make, often to our own detriment, as that the supplier that we partner with is going to know all of the details about how we will use our products, the regulations that we need to meet, the use cases that this product will have, etc. Some of this is our fault, not explaining well to these firms the very detailed specifics about what we need; but for the average person that’s building their first product, there are always going to be things that are impossible to know. Some of this falls onto our suppliers; there are plenty of issues we can point to and say, “you should have known better!”
I’ve learned some of these lessons the heard way, hopefully our experience helps at least some of you with making devices more secure.
Engage in outside testing
The investment in penetration testing of your device will pay off hugely. Do you know about port scanning, Nmap? Do you know if your device has an open SSH host on board? Do you have an ISO file of Kali Linux on your laptop right now? If not you should hire someone that does, and heed their advice. Have them test your device and demand that your Chinese partner makes changes to make your device as secure as possible.
Make the investment in building your own firmware.
This is not the easy path. The Chinese manufacturer is not going to want to give you their firmware, though this should be on the negotiating table FOR SURE. That being said, you may not need it. If the device you’re building is based on a common chip or chipset, you may be able to build firmware from scratch, so long as you have all of the other documentation (schematics, connected devices, etc). There are lots of firms and freelancers that you can engage to help you build your own firmware.
Make your device updatable
One of the biggest issues that a lot of the IoT devices connected to the internet today is that they are not upgradeable. Whether it is upgradeable via networking or usb, you need to be able to get new firmware into your device; as hard as you try there is always going to be something you can improve.