by Michael Patterson
As the Internet of Things (IoT) market continues to explode with innovations promising to improve our daily lives, malware attack surfaces grow at an equivalent and alarming rate. All computing devices, including IoT, contain vulnerabilities. Motivated by monetary gain, skilled cybercriminals will find new attack vectors and exploit those vulnerabilities. It is important to understand how these devices can be used against others and it is also very important for the industry to offer solutions that simplify advanced threat protection and reduce risk.
Types of IoT Devices and Associated Risks
The volume and variety of internet-connected devices is vast. Household appliances, personal assistants (like Amazon Echo and Google Home), wirelessly controlled window shades, thermostats, doorbells, televisions, video cameras, HVAC systems, lighting, wearable fitness devices, automobiles, industrial quality control devices, and many others could all be compromised and used to do harm. Bad actors can take control of these internet-connected devices and wreak havoc. IP thermostats in homes could be turned off in winter causing pipes to burst. Car engines could be remotely disabled and their doors unlocked. Refrigerators and freezer temperatures could be programmed to rise, spoiling food.
Internet connected devices like smart TVs and personal assistants, which constantly stream personally identifiable information (PII) could be used as the source of widespread identity theft. In addition to affecting consumers, devices deployed within businesses are becoming compromised and recruited into global botnets.
IoT Botnets
IoT devices, deployed with default usernames and passwords, are vulnerable to brute force attacks leading to compromise. Once compromised, these devices often become members of a botnet, controlled by cybercriminals. DDoS attacks, like the ones perpetrated by the Mirai botnet, are becoming more prevalent. Attacks, like the one on Dyn, are used to disrupt or disable a company’s web site or network. The number and size of these botnets is growing. A new, recently identified botnet named Persirai uses some similar code to Mirai, but takes a different approach to its attack chain. There is a growing trend of bad actors threatening DDoS attacks unless a ransom is paid. DDoS attacks occur from the coordinated effort of thousands or millions of infected devices. Although each device only sends a small amount of data, there is strength in numbers and these coordinated attacks can be devastating.
Simplifying Detection Through A Least Privilege Approach
The growth of IoT and its associated vulnerabilities are realities of today’s world. A few important questions need to be asked. What can be done to help ensure that IoT devices brought into businesses and homes don’t end up harming the home owner or becoming a type of Internet weapon? How can organizations better reduce their risk, detect compromised devices, and ensure they are not participating in DDoS attacks? To answer these questions, we must start with the premise that infections are inevitable. Following industry best practices of changing usernames and passwords are important to reduce risk, but complete prevention is simply not possible. Instead, the answer lies in the ability to monitor and alert upon the communication to and from these devices.
Network traffic analytics systems can baseline what is considered normal and identify when traffic deviations occur. IoT devices are purpose built, with a narrow set of features/functions and a limited number of domains, devices and protocols with which they communicate. Organizations should define the IP addresses and layer 4 application traffic profiles their IoT devices use to perform their defined task. With this knowledge, Network Traffic Analysis technologies monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy. This requires some up front effort, but becomes a strong and proactive approach of understanding when IoT devices have been compromised and if they are being used by cybercriminals for nefarious activities. A least privilege policy approach to IoT device deployment is the best way to reduce risk. Monitoring traffic patterns, and alerting when communications occur which fall outside of least privilege, is the most effective means for IT to keep track of their IoT devices.
Consumer Pressure Can Help
Consumers of IoT should refrain from purchasing devices which lack embedded security features. Manufactures are often in a rush to get new products to market before their competitors. This pressure to increase profits often overshadows the desire to include security features. Without consumer pressure for greater security features, manufacturers will continue to rush highly vulnerable products to market. If, however, consumers apply pressure for manufacturers to improve the security of the products they ship, we all will benefit.
The Internet of Things is rapidly increasing the number of connected devices. In most cases, these devices were created to make people’s lives more convenient, more productive and generally better. This is exactly why adoption rates are exploding. Like all good things though, there is a darker side to the equation. These devices generally lack embedded security and are often deployed with default usernames and passwords making them easy targets for cyber criminals to use against us.
Michael Patterson is the CEO of Plixer International.
