It’s the dawn of a new era for a set of networking protocols known as universal plug and play (UPnN) and Internet of Things plug and play.
The Internet of Things (IoT) is described by Wikipedia as “the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data.”
IoT devices utilize Internet connectivity with embedded technology that allows them to be controlled remotely through computer interfaces. With little to no serious security protection consideration given to this industry, security breaches of such devices have reached headline heights. Risk assessment and protection for companies and your home are critical.
In a Forbes article on merging IoT and blockchain, Imad Labbadi, a leading expert on IoT security and CEO of VeCap states, “There is insufficient protection. Several devices from well-known companies and other vendors have serious breaches in their security systems: insufficient encryption, weak authentication requirements—for example, auto-login, possibility of external connections via VPN. All it takes is one unprotected device to compromise the security of your smart system or smart home. Hackers only need to find that one breaking point to bring down the whole network.”
Security Breaches in Unthinkable Places
Cyber criminals earlier this year hacked a casino by accessing an underwater Internet-connected thermostat located in the lobby aquarium. The cyber breach allowed backdoor access to the casino’s network and ultimately resulted in the breach of their high-roller gambler database. The story went viral and sent chills up and down the spines of those of us in the corporate IT cyber security world.
These devices are showing up more frequently in commercial business as well as at home. The following is a partial list IoT devices that can be security risks. Unfortunately, this list is continually growing, as it seems many manufacturers are sacrificing security for functionality.
A Gartner report last year pointed out the fact that IoT security has “its own unique contexts specific to the vertical.” The fact that there are no universal protocols has resulted in fragmented approaches to security with no true end-to-end secure solution.
Web interfaces built into many IoT devices allow users access to various functions. What is one of the most alluring features of the technology also opens the door to cyber criminals with unauthorized access to the device. Cross-site scripting (XSS), weak credential input, SQL scripting, and user enumeration are a few weak points to consider when accessing specific security vulnerabilities.
Ransomware has spawned a new industry of cyber crime in the IoT space as well and has even made “cyber crime as a service” an actuality. According to an article on security intelligence from IBM, potential hackers with little to no experience have rented ransomware and ransomware delivery systems, causing an unprecedented rise in attacks. Hackers have developed creative ways to hijack IoT devices and demand a ransom, typically in the form of bitcoin. What’s the lowest hanging fruit here? Many devices expose the passwords embedded in the configuration files.
Ransomware May Affect IoT Devices
The now famous WannaCry ransomware that affected over 55 traffic cameras in Victoria, Australia, disrupted the British National Health Service along with several other organizations in May of last year according to an article in The Guardian. The aggressive attack, thought to be the largest ransomware attack in history, affected over 200,000 systems worldwide and continues to remain a threat. The Microsoft Server Message Block (SMB) v 1.0 protocol was targeted. Microsoft released a patch for supported operating systems, but older legacy systems remained vulnerable. In the wake of the attack, Microsoft released an emergency patch for unsupported operating systems. Although this was not a direct IoT hardware threat, the potential is there to affect and infect all devices with a user interface.
IoT Devices Used in DDOS Attacks
In October of 2016, the Mirai IoT botnet attack disrupted much of the Internet on the U.S. Coast with a large-scale distributed denial of service (DDoS) attack. Without going into too much detail, a botnet is simply a network of compromised computers connected via the Internet and used for malicious purposes. The bots form a network controlled by a third party who then transmits malware or spam or launches some form of attack. Mirai specifically targeted the unprotected IoT devices by finding a “back door” opening within the Telnet ports. They then used a combination of known default passwords to hijack devices and form an army of cameras and routers. At its peak, Mirai infected over 600,000 vulnerable IoT devices. The Mirai code was released into the wilds of the Internet and is available for anyone to try their hand at it. Any smart Internet-connected device is at risk.
Crypto-mining Bogs Down Network Speeds
Crypto-mining experienced an 8,500 percent jump in 2018, according to the Internet Security Report released by Symantec earlier this year. Because of the simplistic code, threat detection tools often are ineffective. The code consumes the central processing unit (CPU), bogs down the network, consumes resources, and increases energy costs. The same report cited a 600% increase in attacks against IoT devices, with 21% originating from China.
Nicole Eagan, CEO of the cyber security company Darktrace, states, “There’s a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”
Simple IoT Security Measures
Stephen Nardone, Director of the Security Practice at Connection, is a leader in the field of IT security risks, frameworks, assessment, strategy, and compliance. Stephen has been a CYTO/CSO for the Commonwealth of Massachusetts and has developed security strategies for multiple government and private sector organizations. With more than three decades in the field, Stephen understands that cyber threats and cyber attacks are part of today’s technology reality. It’s not a matter of if, but when the breach will happen. “Prepare for ‘the when,’” is one of his standard mantras.
Stephen recommends some very basic strategy to offer some protection from IoT cyber intruders:
- Connection assessment: The first line of defense is common sense. Consider what you’re connecting to your network and understand with IoT standards and protocols, security blind spots are inevitable. Only connect devices you need and only if secured end-to-end.
- Change passwords: Many plug-and-play IoT devices are set up with open, default, or no passwords. Set a password, and change often Remember the Mirai attack targeted default passwords.
- Purchase known technology: Stay away from knock-offs, unknown names, and unproven devices.
- Install patches and update firmware: Many security issues are due to end users ignoring the latest patches and firmware updates. Cyber criminals target missing patches. Reputable companies are on the cutting edge of security and offer managed patching strategies to avoid cyber penetration.
- User awareness training: Training employees and learning of all the potential threats is the first course of action. The old saying “knowledge is power” goes a long way. Password and patch management, purchasing decisions, how things are connected to your network, and, of course, social engineering are key awareness training areas.
- Data protection: Ensure that all users know their role in the oversight of protecting critical data at rest, data in process, and data in motion. Take the time to identify and classify your sensitive data.
What’s Your Weakest Network Security Link?
Supply chain attacks focus on the weakest link within a company’s or home’s supply chain. Take that with the fact there are currently over 9 billion IoT devices, with an estimated 20 billion to be on line by 2020, forming a vast network ever reaching into every aspect of our lives, and you have a recipe for a new type of cyber threat. Gartner continues to place IoT security technologies as one of the fastest growing industries in security as the cyber crime threat landscape continues to evolve.
IoT and Blockchain May One Day Work Together
Imagine your network of smart devices working in harmony under limited human interaction and secured by an un-hackable blockchain. The current problems prevalent with both technologies may one day combine to form a new super network. Two emerging technologies currently limited and restricted separately could work together and provide a partnership and form a new break-out technology. IoT, AI, and blockchain working in tandem will eventually bring rise to a new industry of IoT platforms that utilize data gathered from IoT device interaction all secured by distributed ledger technology (DLT). The UK government released a report titled “Beyond Block Chain” a few years ago on the advantages of DLT and usefulness in the public sector.
Connection offers a security assessment service to see where you may be exposed through our security risk management program strategy. Wired and wireless penetration testing with the right tools will identify weak areas. Connection works with you to help uncover these areas of vulnerability that may never have been considered. We then discuss possible solutions and implementation processes to determine the best course of action. Don’t wait until it’s too late… prepare your organization for cyber attacks now.