Security researchers have been warning about the threat from IoT devices for years! The massive deployment scale and utter lack of security make networked embedded devices (aka The Internet of Things) prime targets. As early as 2015, Stephen Ridley, now CTO at Senrio briefed the US government and intelligence community on IoT security - or rather the lack thereof (see excerpt in the box).
“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.” Stephen Ridley briefing US government and Intelligence Agencies in early 2015
DDoS is just the beginning, like it was with PCs in the mid-90s. What follows is an escalation into ransomware, spyware and other criminal pursuits.
"I Don't Have IoT On My Network"
At Senrio (and previously Xipiter), our team helped device manufacturers secure their products and trained security researchers on the unique threats coming from embedded devices. We have been warning about this for years. Unfortunately the problem isn't exclusive to DDoS and Internet outages. The same technologies that power "IoT" also automate elevators, traffic lights, medical devices, power stations, industrial manufacturing facilities, farms/agriculture, and communications. These embedded devices or mini computers have not benefitted from the years of improvement and iteration that servers and desktops have. We “got lucky” in this latest attack; it is actually a relatively harmless symptom of a greater problem.
When we talk to CIOs and CISOs at hospitals, factories and utilities, they rarely connect the headlines from consumer IoT to what might be going on in their own networks. “We don’t use IoT,” is a common response. As you look closer, you find IP-connected industrial controllers (PLCs), gateways androuters, lab equipment and insulin pumps everywhere. Nobody is responsible for them as they are outside the purview of corporate IT and in the blindspot of traditional security tools.
What Can You Do?
- Change the default password on your device (the latest attacks were launched using factory-set credentials)
- Make sure your devices are up to date. Manufacturers will post patches to known vulnerabilities.
- Invest in IoT monitoring solutions that tell you when your devices get hijacked by malicious actors.
- Know what is on your network: Many network managers are unaware of the sheer number of embedded devices lurking on their networks: VoIP phones, security cameras, smart TVs, remote power management units, HVAC systems, gateways, routers, industrial controllers, etc.
- Keep your devices up to date: Some environments make it challenging to update firmware due to re-certification requirements (health care) or up-time concerns (factory floor). Known vulnerabilities remain unpatched even when the manufacturer publishes a fix. The update rate depends on the sector but averages about 10% for the first 12 months after a security update is made available.
- Continuously monitor your network with a tool designed for IoT devices: Unlike traditional endpoints, embedded devices are compromised through abuse, misuse, or misconfiguration. Monitoring devices and the way they behave becomes critical as bad actors fly under the radar of traditional firewalls and intrusion detection systems.
- Don’t make security an afterthought! Security is suffering from the same status as quality control a decade ago. Performing a security audit when the product is ready to ship is too late in the process as necessary changes are expensive and incur delays in going to market.
- Improve hardware security. Hardware manufacturers are not thinking about vulnerabilities in hardware as a way to make it easy for an attacker to get at the software. For instance, leaving debugging interfaces exposed provides attackers the keys to the kingdom. Regular firmware audits and protecting the boot process are additional ways to secure the device against attackers running their own code. Ideally, provide visibility into firmware integrity after the device leaves the factory (sign up here to learn more).
- Code reuse means vulnerability reuse. In an effort to drive down costs, manufacturers leverage code across multiple platforms or use firmware provided by 3rd party vendors. Thus, if a vulnerability is found in one device, it could be exploited in other devices sharing the same code base. Security experts recommend performing more audits (ideally at every change of the code base) and conducting risk assessments. These activities will help prioritize security efforts.
What Does the Future Hold?
Manufacturers and network operators alike need to take the threat from IoT devices seriously and move to address this blind spot. Rather than looking for an “inside out” approach that hardens the devices against attack, we need to watch and learn how devices behave on the network. Knowing what is on your network and when malicious activity occurs is the first step in remediating, isolating and stopping the spread of the attack.