The world of IoT security just became more complex. IoT devices are no longer a potential threat to their owners, now they pose a significant threat to everything connected to the Internet.
The old IoT security problem
For the past year, the cybersecurity and IoT communities have been at odds regarding how to keep devices from harming their owners. Much of the focus emerged around industrial controls (IC) and transportation equipment. Vulnerable IC devices could cause cascading effects to power stations, water distribution, chemical plants, heavy machinery, and other industrial facilities, posing a threat to workers or downstream users. There have been hacks, compromises, and stern warnings. Concerned governments are putting pressure and establishing requirements to protect services at a national level.
Vehicles, most notably airplanes and smart cars, have taken the bulk of the public’s attention. Hacks against Jeep, Tesla, and Volkswagen have shown how doors can be unlocked and total operating control commandeered with steering, breaks, and acceleration taken over by an attacker. A car which is rendered unusable by its owner or made to crash and injure occupants is frightening but somewhat trivial if you don’t own that type of vehicle. The public has seemed to be entertained by these research exploits but not too concerned. It may seem beyond the everyday consumer and effects likely limited to only those who could afford such conveyances. These attacks are too distant and not very pressing to everyday people or businesses.
On the lower cost side, there are home appliances, wearables, toys, and drones which are already a part of the everyday world of the consumer, but smart toaster or rice cooker being hacked seems harmless, beyond some burnt bread.
Eventually, we will have more risks than we can imagine. As IoT devices are woven into the fabric of people’s daily lives we will be at risk of their misuse. In the future they will begin to control the stoplights on the way to work, the equipment in the emergency room, control of progressively more vehicles on the road and in the sky, and the distribution of such necessities such as electricity, food, medicine, water, and communications. We will begin to understand how these little technical minions become critical to smooth delivery of services in our future digital lives.
This is the space where thought-leading IoT manufacturers are working feverishly. The automobile industry in particular, have been fast to invest in security to ensure their products don’t cause accidents. Such work has begun, but still has a long way to go in cars and across all the other billions of devices we will weave into our lives and businesses in the next few years.
The next generation of IoT devices are appearing and will work to help protect our property, monitor our health, automate our homes, keep our children safe, increase our communication, eliminate time wasting chores, make us more efficient, and optimize our businesses. A great future to be sure, but it will need to be trustworthy and secure, as our reliance on the smallest elements will ultimately impact the biggest parts of our lives. These are all known and accepted security challenges in the world of IoT. This is not the end of the security story, only the beginning.
The new IoT security problem
We are now facing a new set of problems which have emerged for IoT. Unlike the known challenges, where IoT devices might impact local owners and bystanders, the new threat is a powerful weapon which can be pointed to anything connected to the Internet. Recent Distributed Denial of Service (DDoS) attacks have been fueled by hacked IoT devices, called bots. DDoS attacks saturate internet connected devices and services to bring them down or make them unavailable. Such attacks have been around for years, in fact were some of the first types of Internet attacks, but the scale is now changing the game at a pace and scale not tenable by security workarounds.
The game has changed. These IoT DDoS attacks are typically run by ‘bot-herders’. These herders compromise devices and install malware which allows them to be controlled remotely. By pointing hundreds or thousands of devices to flood a target with requests and data, they can overwhelm it to the point it can no longer maintain functions. There are several anti-DDoS services available which offer protection for a price. But the scale of the new IoT backed attacks, which are larger than anything ever seen, makes protection difficult and costly. Josh Shaul, Akami’s vice president of web security, warned that if such an attack were sustained it could cost the victim millions of dollars in cyber security services to stay online.
Traditionally, PC’s were the prime targets to turn into bots, as many people did not bother with installing anti-malware. But over the last few years, PC’s became much more protected and therefore difficult to maintain persistent control over by the bot-herder. The other problem is the shift to laptops. A bot is only good if it is online, can receive instructions from its master, and then execute those orders continuously. Laptops don’t fit this model well, as they spend much of their time off, to save battery life.
What bot-herders really wanted was a massive number of devices, which were easy to hack, that would be ignored by their owners, and were constantly connected to the Internet. Recent attacks have proven IoT devices are the perfect solution for cybercriminals.
The rise of IoT is a dream come true for bot-herders. Most IoT devices are not powerful enough to have any type of anti-malware. A majority of consumer products come with a default login and password, which are published by the manufacturer and easily found on the web. Many stay continuously connected to the Internet and end-users rarely monitor or update these devices, especially consumers. The biggest factor is around scale. Unlike the hundreds or thousands of PC’s which might be in a herd, IoT botnets can number in the hundreds of thousands!
With legions of exploitable devices, attackers are mustering massive DDoS armies and the results of IoT botnets are devastating.
How to secure the future of IoT
The problem is not just what to do now, with the current exploits, but also how to protect the future. Attackers are using the most simple and easy path to take control, the default passwords. But they will adapt as controls come into play. This is the pattern witnessed the past with many other attack vectors. It is a repeating cycle where attackers follow the path-of-least-resistance to achieve their objective. IoT devices are just too perfect for botnets for the attackers to give up easily. This is shaping up to be a long and drawn-out fight.
We must secure the future of IoT. This means blocking the current exploits as well as interdicting the likely future maneuvers of attackers. This is what must be done to protect the lifecycle of IoT devices, from inception to retirement.
- Designed and Architected for Security
IoT manufacturers must take the time and diligence to embed security into the architecture, interfaces, and designs of their products. Basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users should be established and tested.Products in the future will get more powerful, store more data, and possess more functionality over time. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer. Future-proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive.
- Secure Provisioning and Configuration
Most IoT devices require some kind of setup and provisioning upon installation. Device identity and authentication is a must, as part of this 2-way process. Proper default configurations, that adhere to best security practices, and important and should be easy for users to understand. Rules should be in place which do not allow default passwords, require patches and updates to be signed, data to be encrypted, and only secure web connections to be allowed, are also a good start.For enterprises, limiting network access, patching in a timely manner, and only allowing approved software to run, will go a long way to keeping the devices secure. For gadgets which are capable, implementation of security software, such as anti-malware, intrusion prevention systems (IPS), and even local firewalls will improve the device’s defense posture. Detection and telemetry should also be configured to detect when systems are under attack or are functioning in ways not intended by the organization. Policies must be established for privacy, data retention, remote access, key security, and revocation procedures.
- Proper Administration and Management
For devices owned by end-users, like consumers, it is imperative they alone maintain the final say in how the device is managed. Manufacturers and online service providers play a role in provisioning but it is the owner who must retain ultimate control as to what the device will or will not do. Provisioning is different than administration. For example, during installation of home cameras it makes sense to connect to the manufacturer for the latest patches and maybe even setting up cloud storage. But you would not want your home cameras being controlled by the manufacturer. They should not have the ability to operate them outside of your authority.Owners must retain the power to turn on or off their products and choose which online services they allow to connect. This requires proper end-user identification and authentication. As stated before, allowing a common default password is not good as anyone can take over as the Administrator. Imagine if Windows came with a default login password for every system. It would create a security nightmare as many would never change it and attackers would login as users. So, first and foremost IoT systems must be able to authenticate its owner.Management functionality must also extend to empower the owner to set limits, data policies, and privacy parameters which are more restrictive than those of any potential 3rd party vendor. Signed security updates should be automatically installed by default as they become available. Savvy owners should be able to configure limits for inbound and outbound connections, data types, ports, and security settings. Logs which can be pushed to a trusted system or viewed locally should capture errors, unexpected, and unusual activities. A system for remote warning notifications, via email or text, is a welcomed feature I am seeing on some devices. Finally, a reset capability must be present in the event of an unrecoverable compromise or transfer of ownership.Enterprise and industrial classes of devices are typically managed centrally, by the purchasing organization. This may be part or different than provisioning by the manufacturer or service provider. Entire classes, potentially numbering in the thousands may be controlled to operate individually or as part of a collective. The same choices and control are required. Instead of a single owner, it is an organization’s functionaries who will administer the IoT devices, monitor for issues, and respond to problems.Proper administration and management is all about oversight and final control by the device owner. It should be simple to understand and easy to manage. Devices should possess the necessary processes to determine if something is wrong, communicate such events to their owners, and provide options to resolve issues. IoT devices are here to make our world better and smarter, they themselves must bring intellect to the ecosystem to protect themselves and work with their owners for their benefit.
How Do We Make IoT Security Become a Reality?
Security and privacy take effort, resources, and commitment. To change from the status-quo, we must hold manufacturers accountable for their devices. If they fail to design and architect security into their products, make them liable and stop buying their wares. For critical functions where the safety of people is at risk, enact regulations and subject them to government penalties.
As part of the best-practices, which manufacturers and service providers must deliver against, institute the aspects which make provisioning and initial configuration secure by default. Industry consortiums are working to define the best-practices, configurations, and default settings for different device classes.
Lastly and perhaps most difficult, is to up-level the awareness and involvement of end-users. It is their security and the operational availability of potential Internet targets which is at risk. Without some assistance from consumers and businesses, these controls will be easily undermined or neglected. Social interaction must take place. We all have a responsibility, as a digital community, to maintain reasonable hygiene for devices connecting to our common resource, the Internet.
The Choice is Ours
It may seem like a lot to consider, but remember the attackers just need to find a reasonable vulnerability to press. The opportunity is, to make it challenging enough so they are not motivated to pursue these devices. We find ourselves in a situation where billions of IoT products will be flooding every industry and quickly find their way into our homes, schools, governments, and businesses. We must make the necessary efforts to not bring vulnerabilities in with them. The effects overflow well beyond our own lives, data, and devices. They may be turned into legions of bots which could cause havoc to even the biggest of organizations on the Internet. We all become victims if we don’t work together to make our future technology trustworthy, safe, and secure.