Suggestions for Consumers Using IoT Products Containing Log4j

Summarized with extreme simplicity, the Log4j security vulnerability is ultimately a result of insufficient secure coding and/or testing practices for software that is used in billions of devices worldwide, that is now being actively exploited, causing a wide variety of security incidents and privacy breaches.

Log4j is an open source software application program, written in Java computer code by volunteers who are considered to be programming experts. Log4j is used to create activity logs for devices running on Apple, Windows, and Linux systems. The logs provide activity details for the associated devices that can be used to troubleshoot problems, track data within the devices from which Log4j is used, or for other purposes. Log4j has been used as the de facto logging code within a huge number of software programs throughout the world because the logs are extremely useful for troubleshooting software problems. And possibly even more reason it is so widely used is that, since it is an open source program, Log4j code is free to use.  

Let’s consider just a few facts, and then associated risks that exist to IoT products and their users as a result of the Log4j vulnerability. First a few facts:

• Java is the most-used programming language for IoT app development and typically includes Log4j; reportedly controlling around three billion devices.
• Because the Log4j vulnerability is so easy to exploit, this puts the other devices within the IoT product ecosystem at risk. This includes the associated cloud services, apps, gateways, hubs, controllers, Wi-Fi networks and routers, and the other networks to which connections are made (businesses, online retail, banks, financial sites, social media, etc.). The impact is worldwide and usually reaches far beyond the IoT product where Log4j resides.
• The Log4J vulnerability allows unauthorized entities, such as hackers, snoops, and basically anyone else on the internet, to do actions such as: access the controls on IoT devices; allow remote code execution by unauthorized users; control, change or delete log messages; change, copy or delete data collected or derived by IoT devices; access other devices on the same networks to which the IoT products are connected. So, the impact to data and device use is significant.

IoT devices impact people’s lives worldwide. There are IoT devices that control, 1) temperatures in homes and other types of buildings; 2) personal assistants through voice-controls; 3) smart locks; 4) smoke and fire alarms; 5) smart electricity plugins; universal entertainment system remotes; 6) traffic lights; 7) Wi-Fi systems; 8) security systems; 9) garage door openers; 10) fitness trackers; 11) medical devices that are keeping people alive; 12) and an infinite list of other types of IoT devices.

Essentially, the Log4j vulnerability gives intruders a wide-open digital door, from wherever they are in the world, into your networks and devices. Once they are inside, they can wreak havoc by causing a wide range of harms: stealing, modifying, and deleting data; planting ransomware, malware, bots, spyware, and killware (which is a quickly growing concern); launching attacks on other networks from your devices, to cover their tracks and make it look like you were the attacker; bringing down networks and critical infrastructure to disrupt operations and disable systems that the public depends upon for safety and health.

Cybersecurity researchers are seeing cybercrooks actively targeting businesses to exploit the products that use Log4j to not only attack those businesses, but also use those business networks as gateways to the other businesses that are connected to the networks. They are also attacking the software itself to disrupt anyone who may be using the software. Given these facts, the potential harms from the risks are huge; from disruption of services, to the health and safety of people depending on them, to the data that is collected through them.

It is ultimately the responsibility of the manufacturers of the software containing the Log4j vulnerability to fix those software products as soon as possible, and for IoT product providers to ensure their products are updated as soon as possible. But how quickly will they fix the products? That will vary from manufacturer to manufacturer, and product to product.

We encourage IoT product consumers (organizations as well as individuals), and all other types of software and hardware, to be proactive. If you are such a consumer:

• Determine the manufacturers and vendors for the IoT products you use.
• Go to the manufacturers’ and vendors’ websites. Check to see if they have posted information that explains if they use Log4j in their IoT products.
  1. If they do, they should also provide information about how they are fixing the vulnerability within their products.
  2. If they do not provide such information, then contact the manufacturers and/or vendors. Look for the contact information on their websites. If they don’t list contact information on their website, then check to see if they have provided a website specific to their IoT products; many do. Ask them the following questions. Document all the questions along with the date and time you asked them, the answers you are given, and the person’s name (first name is okay; someone for you to reference if you need to later) that provided you with the information:
     1. “Does your IoT product (provide them with the product name) use Log4j?”
     2. “How are you fixing the Log4j vulnerabilities?” Ask for details, and not some one-sentence answer like, “We’ll fix it soon.”
     3. “How will you let me know when your IoT product has had the Log4j vulnerability fixed?”