Convenience over security. That’s a conflict we run into almost daily, and the IoT-scene is no different. I stumbled into yet another excellent example with my Denon home theatre receiver a while ago. It’s one of these quite modern devices that is built around digital technology from ground up. HDMI is the primary input connector and you really need to hook it up to a TV to be able to configure it using on-screen menus. And yes, there is an Ethernet-connector too.
But why is this device on my network? It has real useful functions that justifies a connection. It’s not just another nerd gadget like the telnet-supporting teapots. It can play Internet radio and music from Spotify or Pandora. That’s quite convenient because it works standalone without a computer. I can also play files stored on network devices. Or stream using AirPlay. So it does pretty much resemble a modern smart TV, except that it is audio-centric.
Another useful feature is the IP-based remote control. The device has a web interface that I can open to select source, adjust the volume and manage a bunch of other features. And even better, there are apps for iOS and Android that does the same with a much nicer user interface. Just install the app, select the device from a list and have full control.
But wait. Isn’t something missing from that user experience? Yes, it’s the password. Both the web interface and the app are wide open to anyone on the same network. Or actually, if you are on the same network you can select the device from a list. If you are somewhere else, but can communicate with the network, you can connect if you know the IP-address of the device.
I can certainly see why Denon designed the device this way. No security is the most convenient security approach. They rely fully on your home network instead. It is assumed to be a walled garden where only legit users can exist. And this approach is naturally convenient as long as the assumption is true.
But is it true? Not always. Many people have poor WiFi-security and even run open hotspots. And what about environments where the network isn’t private? Households can easily share a WiFi hotspot and some buildings may even have common networks for all residents. Not to talk about the scenarios where a compromised devices becomes a gateway into your protected environment. Did the Denon engineers consider this? I don’t think so.
The lack of a security mindset is even more apparent when you take the obvious next step. Can I turn off the remote management feature? No you can’t. Or to be precise, there are two options. Always on and off in standby. The most secure option, always off, is missing. And the off in standby is documented as a power saving feature, not as a security feature. So this means that no matter if you want remote control or not, it will always be on when the device is on. And it will be on in standby too by default. The only way to disable it is to unplug the network, and that has naturally nasty side effects if you want to use the other network features.
One more thing the device can do over the network is to fetch software updates. That’s good, an efficient maintenance process and patch delivery channel is essential for keeping devices secure. Denon is in this regard a lot better than many other vendors. But the funny thing is that their need to do security patching should be minimal. The device’s security can’t be broken if it has no security. (* 🙂
The bright side here is naturally that an owned amplifier isn’t the end of the world. A hacker could come up with a lot of creative pranks, but breaking the speakers is probably the worst possible scenario. But this is still an excellent example of lacking security. The Denon-approach is unfortunately common for IoT-devices, and this is a fact that we just have to live with. An IoT-home will consist of devices from many vendors with many different security approaches. We will not under the foreseeable future be able to build secure IoT-environments that rely on the devices’ own security. The remaining option is to manage our network environment. Make sure your network serves only your own family and nobody else. Make your WiFi secure by using encryption and a proper password. And last by not least, remember that any device that can host malware is a potential backdoor to your home. Keep your devices clean.
(* That sounds funny but is strictly speaking not true. Any device that is communicating with others need to be resistant against inbound malicious connections. Bad code in the network routines could still make DoS-scenarios possible even if the system is open and users aren’t authenticated.
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018