“Internet of Things” security is hilariously broken and getting worse

Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.

The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.

"It's all over the place," he told Ars Technica UK. "Practically everything you can think of."

We did a quick search and turned up some alarming results:

The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.

Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.

While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.

Of course insecure webcams are not exactly a new thing. The last several years have seen report after report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.” Tentler told Ars he estimates there are now millions of such insecure webcams connected and easily discoverable with Shodan. That number will only continue to grow.

So why are things getting worse and not better?

The curse of the minimum viable product

Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.

"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," he said. "The vendors don't want to lift a finger to help users because it costs them money."

If consumers were making an informed decision and that informed decision affected no one but themselves, perhaps we could let the matter rest. But neither of those conditions are true. Most consumers fail to appreciate the consequences of purchasing insecure IoT devices. Worse, such a quantity of insecure devices makes the Internet less secure for everyone. What botnet will use vulnerable webcams to launch DDoS attacks? What malware will use insecure webcams to infect smart homes? When 2008-era malware like Conficker.B affects police body cams in 2015, it threatens not just the reliability of recorded police activity but also serves as a transmission vector to attack other devices.

"The bigger picture here is not just personal privacy, but the security of IoT devices," security researcher Scott Erven told Ars Technica UK. "As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby's crib."

Admiring the problem is easy. Finding solutions is harder. For his part, Tentler is sceptical that raising consumer awareness will be enough to solve the problem. Despite tons of press harping on about the privacy implications of webcams, it’s pretty clear, according to Tentler, that just telling people to care more about security isn’t going to make a difference.

Instead, he argues it's time to start arm-twisting vendors to release more secure products.

FTC to the rescue?

When it comes to strong-arming manufacturers, government entities like the US Federal Trade Commission (FTC) may be able to help. Ars UK spoke with Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, and she was quick to mention several examples where the organization went after at-fault companies. In recent years according to Mithal, the FTC has prosecuted more than 50 cases against companies that did not reasonably secure their networks, products, or services.

The FTC takes action against companies engaged in deceptive or unfair business practices, she explained. That includes IoT manufacturers who fail to take reasonable measures to secure their devices.

“The message from our enforcement actions is that companies can’t rush to get their products to market at the expense of security,” she said. “If you don’t have reasonable security then that could be a violation of the FTC Act.”

In addition to the precedent-setting enforcement action against TRENDnet, the FTC also issued security best practices for IoT manufacturers back in January 2015, urging them to bake in security at the design phase rather than bolting it on as an afterthought. Vendors should train their employees in security best practices, the FTC said. Such practices could be a "defence-in-depth" strategy to mitigate risks, pushing security patches to connected devices for the duration of the product life cycle, and so forth.

This is all sensible, top-notch security advice. The FTC even followed up with an official guidance document in June and a series of workshops for businesses on improving their security posture.

Erven told us that these new guidance documents are a warning to businesses to improve—or else. "The thing that really does come next after guidance is regulation, if they don't pick up their game and implement [the official security guidance]."

It may already be too late to avoid regulation. Mithal told Ars that the FTC has asked Congress for federal data security legislation that would give the commission the authority to seek civil penalties for companies that don’t implement reasonable security. Rather than mandate highly prescriptive, technology-specific legislation (for instance, “you must use this firewall and that kind of encryption”), the FTC seeks a process-based approach that will remain valid even as technology continues to advance.