If the number of new vulnerabilities in IoT devices were represented by raindrops, today there would be flood warnings across the nation. If the task of securing these devices were represented by climbing a mountain, it would be Everest to ascend. If the whole situation were represented by one word, it would need to be IIDDIOTIC—It’s Incredibly Difficult to Defend Internet-of- Things in Cyber attacks.
Maybe it is it time to give the Internet of Things a new acronym. The current one, IoT, just doesn’t convey the sense of anxiety this new frontier instils in security professionals and the risk that these device security flaws present.
IT executives tend to believe that IoT hacks focus on consumer tech. It would be a mistake to rest easy. Without big fixes from manufacturers, IoT attacks will almost certainly cause widespread damage to a variety of business sectors. Industrial companies increasingly use IoT devices to monitor operations. It’s not hard to imagine a ransomware attack that threatens to damage the cooling system of a refrigerated truck. And in Finland, we’ve already seen attacks knock out the heating system of entire apartment buildings through an internet-connected thermostat.
The Largest Attack Ever
To see how an attack on consumer devices can disrupt business, look back just a few months, to a botnet attack utilizing malware called Mirai—a brute force attack that guesses the device’s factory default password. Back in 2016, more than 1 million compromised IoT devices unleashed a powerful attack on Dyn, a DNS provider that matches a website’s name to its numeric IP address. Baby monitors, home security cameras, internet-connected printers, and more were enlisted to flood Dyn’s servers with traffic. Volumes exceeded 1 TBPS, a rate of attack that internet security experts hadn’t seen before. Spotify, Twitter, and Reddit, to name a few, all saw traffic slow to a halt or shut down.
It was the biggest attack on record, and yes, it had a financial impact not only for the companies whose websites were shuttered, but for countless others who saw traffic slow.
A Known Flaw Still Unpatched
If you think IoT device makers rushed to patch security holes after the Dyn attack, you’d be wrong. The same security weakness exploited by Mirai is now used by a new IoT attack known as BrickerBot to render devices useless.
Whereas other IoT attacks Shanghai devices into a botnet army and deploy them in DDoS attacks, or use them to spy on people, BrickerBot does not appear to be deployed with financial motives. BrickerBot does not ransom; it destroys.
IoT device makers quite frequently publish default passwords on the internet, making them easy for hackers to find. In fact, security researchers have been warning for years that default credentials are a glaring security hole. Many manufacturers rely on unsecure open ports, which make IoT devices a tempting target.
To-Do List for Guarding Against IoT-Based Attacks
While waiting for device makers to get their acts together, there are a few things that security professionals, and even some consumers, can do to secure these devices.
• Change the device’s factory default credentials.
• Disable Telnet access to the device.
• Use Network Behavioral Analysis to detect anomalies in traffic and combine with automatic signature generation for protection.
• Perform user/entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
• Add an IPS to block Telnet default credentials or reset Telnet connections. Use a signature to detect the provided command sequences.
A Concerted Response from Industry
Unsecured devices leave us all at risk. If 95 percent of users take up security on their own, the remaining 5 percent still leaves a sizeable number of devices.
In a November 2016 survey, 69 percent of respondents blamed device makers for massive security breaches. This makes sense. If consumers cannot be trusted to change their own passwords, manufacturers should start taking security more seriously, or risk a rising tide of mistrust that forces them to do it.
So far, it doesn’t appear that device manufacturers have heard this call, but the business community needs to push them to do it. It’s in all of our interests.