Stopping the Infiltration of Things

If a network-connected smoke detector starts communicating with the mail server, you know you have a problem.

The Internet of Things connected devices that contain network sensors to allow for remote monitoring and control, are expected to hit 75-billion devices installed by 2025 . These devices include everything from home routers, remote cameras to healthcare devices. This wide-ranging internet-of-things market sector includes industrial, consumer, banking, retail, manufacturing and healthcare to name a few. It is this vast arrange of devices used globally that has now become the playground for cybercriminals as general cybersecurity trends in 2018 bare out . IoT threats are on the rise and are transforming to penetrate various IoT devices as they are introduced to the market.

IoT devices come in many shapes and sizes from IP cameras to external, network-connected hard drives. These are known as “dumb” devices and are built with a single, or limited purpose. They are designed to be easy to deploy, with minimal configuration and setup required. The vulnerability, though, lies within the actual design. The ease of use is this very same feature that allows malicious actors to take over any IoT device. In a rush to market, IoT manufacturers have given little thought to security which has given rise to a myriad of malware including Mirai, Shishiga, Hajime, Okiru and Torii which have all kicked off an arms race of sorts within the Dark Web to see who can evolve these malwares into next generation attacks on corporate and government websites, ISP, Telecoms and more. This malicious malware is used to take over these devices to amass botnets used for such things as Denial-of- Service attacks (DDoS, spam and a variety of other crushing cyber plagues.

Just recently, there was a new IoT botnet discovered that infected 100,000 home routers designed to send Hotmail, Outlook, and Yahoo spam. In this case, “the vulnerability was discovered in 2013 by security researchers from DefenseCode and resides in the Broadcom UPnP SDK, a piece of software that was embedded in thousands of router models from multiple vendors.”

Another threat has been pointed out by the US-China Economic and Security Review Commission which has warned that both government agencies and US companies face significant risk posed by the Chinese control of the IoT supply chain combined with what they term as “lax security protections and universal connectivity of IoT devices.” The commission also predicts with the deployment of 5G, the cyberattacks leveraging IoT devices will only increase in size speed and impact.

It is the number of devices in use and coming online combined with the severe threat to not only US citizens, but also whole industries like critical infrastructure and power utilities that could prove disastrous rather than just an inconvenience that is pushing Congress to take action to force IoT Manufacturers to embed security into devices.

Senator Mark Warner (D-Va.), who is the vice chairman of the Senate Select Intelligence Committee, is calling for U.S. agencies and Congress is one of the first representatives to introduce legislation to advance IoT security. California also passed legislation that would require manufacturers to have “reasonable security feature or features,” and last month Europol, the European Union’s law enforcement agency, and ENISA, the European Union Agency for Network and Information Security, held their IoT security conference to discuss the problem with industry―and how to go about securing IoT, before it’s too late.

While many manufacturers will argue that requiring additional security for IoT devices will necessarily increase the cost of such devices, it is a price that must be accepted to prevent a calamity that could have an impact country-wide and even globally.

While legislative action will ultimately result in the best long-term solution, it isn’t an immediate fix. There are several ways to prevent IoT devices from becoming infected, but there are also other steps that must be taken to prevent these devices from causing further damage to other devices connected to the network.

It is a simple, easy first step that is often overlooked to start to secure IoT devices and it all starts with passwords. Passwords are often set to a default which can be conveniently discovered by looking in the online documentation. Because the devices are a snap to set up, users don’t often change these passwords, and, when connected to the internet, provide the door for malicious actors to infect open devices to add to their arsenal of weapons.

Another opening for cybercriminals is known vulnerabilities. Once a vulnerability is discovered in IoT devices it spells open season for hackers who know that most IoT devices are not updated after they are deployed. What is even more troubling is that many devices can’t even be updated after they are shipped. This means that once a device is deployed, the device is as-is because manufacturers haven’t provided a way to make modifications to the firmware or patch vulnerabilities found post-production. This is exactly how malware writers like it because it means once they find the vulnerability and infect a device, the only way to stop the malware, is to replace the device.

As previously mentioned, IoT devices are single or limited-purpose devices. This means that they don’t need full access to the network to perform their intended task. Deploying the device on the network with limited access to other devices, will prevent them from infecting other devices on the network. Ideally, IoT devices should only have access to what is essential to perform. Anything else should be blocked.

Finally, deploying IoT devices on a corporate network where they will have access to business-critical applications and devices, ensure there is a way to monitor the traffic they are generating. Alerts should be instated for any activities that are malicious or anomalous. For example, if network-connected smoke detectors start communicating with the mail server, you know you have a problem. Network traffic analytics is a clear path to knowing when this type of activity occurs.

With a force of will and some legislative push behind it, IoT manufacturers will be have to evolve the security of these devices or face possible long-term liability should a catastrophic event occur.

(Justin Jett is director of audit and compliance at Plixer with roles ranging from system administration of web services to technical product marketing.He is a graduate of the University of Maine at Farmington and is an avid learner of all things security, with a particular interest in TLS and DNS attacks.)