Printers now the least-secure things on the internet

BitDefender's senior threat analyst Bogdan Botezatu despairs of IoT security


The Internet of Things is exactly as bad a security nightmare as pessimists think it is, according to Bitdefender's Bogdan Botezatu.

The senior threat analyst at the Romanian security software company called by to chat to Vulture South while in Australia (we were, I suspect, meant to discuss the company's 2017 launches, but conversation digressed from the start, and there's plenty of time between now and the end of the year).

The Register has long been following the persistent awfulness of “SOHOpeless” broadband routers, but Botezatu says they've already been overtaken by the awfulness of other things.

“We get a lot of telemetry in our vulnerability assessment labs,” he said. “The router is no longer the worst device on the Internet. It's now the printer.”

That's a pretty big claim to make, given that in in less than a month, we've discussed the no-we-won't-fix-it Inteno router from Sweden and the record-setting Chinese surveillance router.

Botezatu himself has been horrified by routers acting as “smart home gateways”: for example last year, he tested one such device, and was pleased at its default security posture, but there was one problem.

“It allowed unauthenticated downgrades to the firmware,” he said. “So it doesn't matter that it looks secure.”

But the printers still win out: many, he said (without identifying the guilty party), offer public shares that are visible to the Internet (because lots of home users also leave their routers too close to default configuration).

Creating a power point that's “smart” and exposed to the Internet – like this one – is just stupid, because there'll never be sufficient security that someone's home ventilation machine can't be switched off by an attacker, Botezatu told Vulture South; a coffee-pot is an invitation to disaster, and “a smart electric oven should be just illegal”, he said.

There's a huge expectation gap between how ordinary people think of their whitegoods, and what happens when the Internet of Things invades them.

“We expect appliances to have a long lifetime, but vendors won't support them with updates forever,” he said. Once the world gets to the point where there's no “dumb” option for a refrigerator or washing machine, consumers will be in a squeeze.

Either they'll be force-marched into buying a new refrigerator/washer/dryer /microwave because the software is end-of-life; or they'll be stuck with a product that's vulnerable to attackers.

“There's always an attack surface”, he said. “The Internet of Things overcomplicates things massively.

“How do you patch things that have no user interface?”

Certainly not by any kind of vendor push-process – because that means vendors will hold credentials of some kind, and we know that golden keys inevitably leak somehow.

There's a (euphemistic) shedload of IoT vulnerabilities already, Botezatu said: “It's scary, it's complicated, and it's potentially lethal.”

In a world where very simple social engineering spam still works to drop ransomware, he said, layering of security is still the best defence – signature detection, followed by heuristics, followed by behavioural analysis.

But the last layer, Botezatu fears, always seems to be “luck”: and in a world where a vulnerability could be a vector to burning down a house, that's just not good enough. ®

Similar topics


Other stories you might like

  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022