At SIA’s Securing New Ground (SNG) Conference in October, I was privileged to moderate a session entitled “IoT – Embracing Opportunity and Managing Risk.”
By now, we know that IoT (Internet of Things) refers to the billions of connected devices that are proliferating almost beyond imagination. Forecasts range from 50 to 200 billion connected devices by 2020. The ability to gather and share information – and to control devices – runs the gamut from cool to essential. As examples, I can control my garage door, adjust my thermostat, and provide access to my house from the road; or a pacemaker/defibrillator will report a heart abnormality to the cardiologist. Unfortunately, the coolness and desire for enhanced functionality is fast outpacing our ability to secure this changing environment.
The IoT Working Group of the Cloud Security Alliance has published a great report called, “Future-proofing the Connected World” which surveyed startup companies developing IoT solutions. Among their findings:
- Startups don’t consider information stored on a device as sensitive
- Security is not applied to the development environment
- No provision for firmware updates
- Investors don’t seem to care about security, but rather are much more focused on functionality
Mirai Casts Doubt on Security of Security Devices
So, is this less of a concern in security because security manufacturers worry about such things. First, whether you have security devices or other connected devices in a user environment, they all represent potential security vulnerabilities and security professionals need to account for them. Second, not all “security” devices are truly secure.
If we need proof, we only need to look at the recent experience with the Mirai tool. Mirai, whose source code is readily available, is a Trojan designed to implant malware in devices running embedded Linux. Mirai infects devices via brute-force attacks on the Telnet port, using a list of default admin credentials, trying to exploit cases where devices are still using default passwords.
DVRs and web cameras are particularly susceptible to Mirai. Once infected, a device can be recruited to be a part of a “botnet” – a group of devices that can be used to launch large-scale Distributed Denial of Service (DDoS) attacks.
On Sept. 13, security researcher Brian Krebs had his website knocked off-line by receiving 665 Gbps of traffic. On Oct. 21 – two days after my SNG session – the DNS site Dyn DNS was brought to its knees with a Mirai-based attack from as little as 100,000 IoT botnet nodes with reported attack rates up to 1.2 Tbps (1.2 trillion bits per second).
All indications are that security devices were a major player in this attack. Further, determining that a device has been co-opted can be difficult. While 100,000 may seem to be a lot, it really is not when considered in the context of the overall number of connected devices – security-related and otherwise. Get accustomed to hearing about the term DDoS, as this type of attack can go way beyond the annoyance of Oct. 21.
There are certain industry and government efforts under way to address the issue for new devices. Both Cisco and ARM – the maker of the processors commonly used in IoT devices – have publicly discussed efforts to harden networks and devices. The EU has proposed a labeling system for IoT devices that are approved and secure. Unfortunately, these efforts will take a while to phase in, while the number of insecure and possibly infected devices grows.
Risk Mitigation
So, do we ignore the potential opportunities and benefits that the IoT provides? The train has already left the station on that score, and it is gaining steam. Security integrators and manufacturers should embrace and shape the security opportunities that are inherent in this situation – namely, recognize the full potential threat environment faced by their customers.
Look at the full array of connected devices (down to the new refrigerator in the break area) and develop procedures for determining whether they should be connected (risk vs. benefit). Arguably, the most innocuous devices may pose the greatest risks; however, with malware’s focus on DVRs and cameras (for more, see www.securityinfowatch.com/12279053), integrators’ detailed knowledge and industry relationships will be essential in mitigating that part of the threat.
Demand action and answers from manufacturers on actions taken to harden and patch their devices. Consider replacing devices when necessary. Further, for those devices that do remain, make sure there is a strategy for strong passwords in place. Work with IT to configure network switches and firewalls to limit who devices can communicate with outside the network boundaries and to determine if that communication is truly necessary. Pick vendor partners who are in tune with the issues at hand and are committed to making their device highly secure; in fact, you should challenge and motivate them to be highly proactive on device security issues.
Don’t ignore the human element – organizations should be sensitized to the threat and incorporate proper device deployment and configuration into their standard security operating procedures.
Industry experts agree that needed tools and knowledge are at hand.
“It is really not a new problem,” says Adam Firestone, a member of the Security Industry Association’s Cyber Advisory Board and Executive Vice President of Engineering at Secure Channels Inc. “The integration of both non-functional requirements like performance, scalability, interoperability and security into development efforts, and specialty engineering disciplines into development teams has been an issue for decades.”
Adds Rodney Thayer of Smithee, Spelvin, Agnew & Plinge: “Without sound engineering, the Internet of Things becomes the Internet of Trouble. It is not necessarily that we need new ideas, but we must address the gaps in practicing the engineering and deployment techniques we already know work. Vendors are cutting corners on software and protocol engineering, and at IoT-scale, this can have disastrous results.”
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Reach him at [email protected], through LinkedIn atwww.linkedin.com/in/raycoulombe or via Twitter, @RayCoulombe.
