When Things Attack: How to Survive the Coming Device Storm
IoT security is a growing concern for businesses, government and the individual consumer.
The recent attack on the Dyn DNS service raised the profile of the Internet of Things (IoT) as a potential vehicle for attacks on network systems. If rendering popular websites such as Twitter, Spotify and Reddit inaccessible wasn’t alarming enough, the fact that it was done by an army of “things” has revived concerns in the security community. While the Dyn attack did briefly deny access to a few popular sites, the attack itself is not the greatest worry.
“The DDoS attack on October 21 was the first of its kind to take advantage of large numbers of unsecured consumer IoT devices in people’s homes.”
— Jean-Pierre Abello, Director of Global Engineering R&D, Nielsen
The Dyn DNS service, providing essential Internet functionality, was flooded with traffic from an army of devices in an assembly called a botnet. The volume of traffic was huge, generated by more than 100,000 devices in a Distributed Denial of Service (DDoS) attack. Orchestrated by software called Mirai, this was not even the largest recent attack using this strategy. Just a few weeks previously, security advisor Brian Krebs experienced a larger attack involving the same software, and various other attacks have taken place over the past several years.
“The DDoS attack on October 21 was the first of its kind to take advantage of large numbers of unsecured consumer IoT devices in people’s homes,” says Jean-Pierre Abello, Director of Global Engineering R&D at Nielsen. “There have been other reported events of unsecured routers being infected by malicious code in the past, but never on that kind of scale. This incident shows that the vulnerabilities that security and privacy advocates have been warning against for years are real and that the IoT industry urgently needs to start adopting protective measures.”
Shutting down servers with a DDoS exploit can disrupt emergency services, harm companies and individuals and act as part of a composite attack. DDoS can be a powerful tool in the cybercriminal’s arsenal—and exploiting IoT expands its possibilities.
“While DDoS attacks can be very disruptive and cause significant losses, they may not be the worst threat facing consumers,” says Abello. “The possibility of ransomware eventually reaching consumer IoT devices is especially frightening, because it could lead to devastating personal losses and even loss of life. The consumer IoT industry is especially vulnerable to these types of attacks because mainstream consumers are not educated or equipped to protect and defend themselves against them, and device manufacturers haven't focused on a strategy yet for effectively protecting their customers.”
“There have been several IoT failures of note recently,” adds Jim Hunter, Chief Scientist and Technology Evangelist at Greenwave Systems and, along with Abello, a co-chair the Internet of Things Consortium (IoTC) Privacy and Security Subcommittee. “The Jeep hack—which demonstrated that the systems that control the velocity, direction and safety of a 3,000 plus pound projectile, that can be hurtled at nearly 100MPH with live human cargo inside—is perhaps the most concerning.”
“Treat every device we make as a child, to be protected from any outside influence through multiple avenues of security.”
— Jim Hunter, Chief Scientist and Technology Evangelist, Greenwave Systems
Symantec’s 2016 Internet Security Threat Report describes multiple vulnerabilities in 50 commercially available devices, including: a “smart” door lock that could be opened remotely online without a password; vulnerabilities in medical devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators and implantable defibrillators; vulnerabilities in Internet-connected TVs; connection vulnerabilities in thousands of everyday devices, including routers, webcams and Internet phones.
Relief on the IoT Horizon
Many firms have sophisticated security solutions in place, but these can be compromised through lack of awareness. Device manufacturers need to be proactive in handling security issues. Industry organizations are only beginning to create standards to address this.
For companies, special concerns include:
- Access control, including strong passwords backed by policy and two-factor authentication where possible
- Data protection with on-device encryption
- Mobile device management systems, including remote find and wipe
- Regular updating of all devices to ensure security patches are applied
- Network isolation of devices that are difficult to secure
- Added protection, as needed, for device connections, such as separate inbound and outbound firewalls
- Awareness of potential connection issues with protocols such as SSH
- Training in security issues and awareness for all employees
“Companies must have a security-first mentality,” says Greenwave Systems’ Hunter. “Treat every device we make as a child, to be protected from any outside influence through multiple avenues of security. If the device is for crucial life or physics management, then companies should make sure that controls are in an additionally protected space that cannot be overridden. Encrypt all messages that transmit. Avoid architectures that allow direct access to such devices via remote connections.”
Anyone bringing a device—consumer or otherwise—into a company needs to be aware of security policies, which must include password rules to eliminate use of defaults, password change on a routine basis and ensuring that the devices remain physically secure.