Analysing the five major aspects of poor Internet of Things security
The security market for the Internet of Things (IoT) will reach $37 billion by 2021, according to the analysts at MarketsandMarkets.com. Because there is growing demand for cyber security, there is a lot of money spent to ensure it.
At the start of 2017, experts predicted that gaping holes in IoT would lead to the destruction of critical infrastructure, the growth of competitive intelligence, and the theft of intellectual property. It was also predicted that an increase in DDoS attacks would paralyze the Dyn DNS system and, with it, many important web domains.
With that in mind, it’s worth looking at five major aspects of the lamentable state of IoT security, stemming from explosive growth, scale, vulnerability, capacity, and availability of devices.
The first aspect
Gartner says 8.4 billion connected ‘things’ will be in use in 2017. Today, at least six million new IoT devices appear on the network every day, which means the constant appearance of new vulnerabilities. For example, last year at DefCon, researchers found 47 new vulnerabilities in 23 IoT devices by 21 manufacturers.
Given that one device usually has several holes, the situation is deplorable. The vulnerability of IoT devices is caused by several factors: the lack of sufficient experience by manufacturers to ensure reliable protection of their products, modest computing and disk capacities that limit the range of available security mechanisms, complicated software update procedures, and the lack of user attention to threats caused by IoT devices.
The second aspect
IoT devices are a very attractive, powerful, and ubiquitous environment for intruders. The growing number of easily compromised consumer devices increases the probability, frequency, and severity of attacks including attacks on corporate data, businesses, equipment, employees, and consumers. For an attacker, it’s easy to get control over entire networks, starting with the compromise of one of the many vulnerable consumer IoT devices.
A vivid example is the popular NEST thermostat. In 2015, TrapX Security engineers connected to the mini-USB port of the thermostat and conducted a man in the middle (MITM) attack, during which a special application scrambled the ARP address of the network gateway. Hackers use MITM attacks to gain control over systems on one or both ends of the communications channel, including corporate networks.
This hole is just one of many examples of how seemingly innocent IoT devices can cause the compromise of entire networks and organisations, thefts, and possibly even disruptions of current processes. By gaining control over the IoT network at home or in the organisation, hackers can not only steal data but endanger life, health, and property.
The third aspect
IoT is the gateway to huge amounts of personal user information that helps hackers in the selection of targets and vectors of attacks. It becomes easier for them to choose passwords used in key companies, government, military, political, and public organisations.
User data is collected on the Internet of Things to help companies conduct targeted marketing by creating a digital representation of all user preferences and features. Attackers steal and combine data from different sources to reveal the interests and habits of people so that they can pick up passwords and answers to secret questions. In some cases, people use the same passwords for corporate networks.
The fourth aspect
Increasing the availability of SCADA and the management of industrial systems through IoT makes possible widespread devastating attacks. When industrial control systems based on IoT are connected to the Internet, it becomes challenging to protect against attacks on the national infrastructure – utilities, power systems, and so on.
As an example of such a scenario, one can recall the recent attack on European energy facilities, which resulted in tens of thousands of people without electricity. In this case, the object of the attack was the control system of this critical infrastructure, which led to its failure.
The fifth aspect
The widespread and – for the most part – open IoT allows hackers to conduct simultaneous attacks on any agency, service or enterprise, as shown in the movie Die Hard 4. Hackers can create and use large botnets that simultaneously jam various infrastructures with DDoS attacks. Imagine what would happen if 10%-15% of the devices in a country are used for a DDoS attack against one of the world’s financial centres?
According to the previously mentioned Gartner forecast, by 2020 there will be 20.8 billion IoT devices. To protect this equipment, companies must first assess the risks, implement the security procedures developed for each device, and train staff. DS/IPS security technologies should also guard the potential for the malicious behaviour of IoT devices. When a company uses consumer devices like the same NEST thermostat, it must also introduce second generation firewalls that allow the device to connect only to certain IP addresses. The emergence of vulnerable devices in homes is an important reason for educating employees about these risks.
You can protect yourself with additional authentication – for example, two-factor authentication. Companies themselves must adapt to changing password requirements. This requires professionals who are aware of the risks of the new technology, and the constant updating of the software and hardware infrastructure (without introducing new risks).
It is difficult to secure SCADA and industrial legacy control systems because such systems tend to be closed to the basis mechanisms for ensuring cyber security. At a minimum, companies must isolate them in their networks and tightly monitor and regulate access to them. Industrial control systems have high availability requirements. This means that non-critical updates are not allowed. In an ideal world, such systems must be isolated from the Internet.
IoT protection from DDoS attacks includes ensuring the security of devices. This approach is consistent with the standard security model, implying zero confidence in minimum privileges. Organisations can be protected from hackers using IoT botnets, hardening security in networks containing IoT devices. But for this, it is necessary to carefully test the available tools and see how effectively they protect. With the help of new technologies, it can be possible to detect intruders.
What to do from here? Maintaining security of the Internet of Things is not without difficulties, but it is not hopeless either. However, it is worth taking the following steps:
- Regulators should fine companies that sell equipment with security problems until they recall and make corrections to their products
- Legislators must introduce laws requiring periodic restoration of IoT software to its original state. This will periodically get rid of the malware used to penetrate the network
- Finally, new hardware should use a limited range of IPv6 addresses, so for those who are under attack by botnets, it is easier to force their provider to reject all packets originating from IoT devices.
- » Back to IoT basics: Automating outcomes to improve customer experience
- » Google Assistant has tripled device support in four months
- » Hide and Seek: The first IoT botnet to survive device resets is caught
- » Microsoft and Kymeta build ‘always-connected’ tactical SUVs
- » Eight countries rank ahead of the US in automation readiness