A massive IoT security breach hits the web - how should enterprises respond?

Profile picture for user jreed By Jon Reed October 4, 2016
Summary:
A nasty IoT hack has hit the web, sparking a flurry of sensational headlines and concerns about the mainstreaming of IoT-based denial of service attacks. But how should enterprises respond? And how should IoT security be approached?

data-breach

A big IoT security breach is blasting its way through tech media. It's natural to push back on an avalanche of linkbait FUD (fear, uncertainty and doubt), and assume that "it won't happen inside our firewall."

Throw enough IT resources at the problem, and security becomes a cost of doing business, or one more risk factor to manage. Surely our data centers are better protected than our uncle's DVR. The recent headlines raise two questions:

  • How seriously should enterprises take IoT security flameups like this one?
  • How should security be incorporated into IoT projects?

How the IoT fueled one of the biggest cyberattacks in Internet history

The latest scuttlebutt: in the last several weeks, hackers launched some of the biggest cyberattacks in Internet history. These were "distributed denial of service" (DDoS) attacks, executed by taking over multiple hacked surveillance cameras, routers, DVRs, and other "connected" devices, and then using those devices for coordinated DDoS assaults on the web sites of journalists, hosting providers, etc.

Now, the malware source code for those attacks, coined Mirai, has been posted. But the most notable thing about this "Botnet of Things" attack was its relative lack of programming sophistication. As per Motherboard:

Martyn said that whoever wants to use the malware needs to change some configurations and do some setting up, but “anyone with a sense of clue could set it up in around 30 minutes.”... Despite being anything but Stuxnet or any other sophisticated malware, it still works, and now that is available for all to use, it is actively spreading.

Thus Motherboard's warning:

If mediocre malware can power some of the largest DDoS attacks ever, and considering the sad state of security of the Internet of Things in general, we should probably brace for more cyberattacks powered by our easy-to-hack “smart” Internet of Things, as many, including ourselves, had predicted months ago.

The problem isn't just the relative ease of adapting the code. It's about exploiting the rudimentary default passwords connected device owners haven't bothered to change:

“I am just surprised at how such a trivial attack code could be responsible for such a large DDoS. It really says a lot more about the state of IoT security than the specifics of the malware,” a security researcher that goes by the name Hacker Fantastic told Motherboard. “If people still aren't changing default passwords and disabling telnet on Internet connected equipment in 2016 then we are heading to a future with more incidents like this happening.”

Security researcher Brian Krebs, himself a victim of a recent DDoS web site attack, reports that Mirai is one of two malware "families" currently being adapted by hackers for DDoS attacks ("Bashlight" is the other). Krebs notes a Gartner prediction of 6.3 billion connected devices by 2016, and worries that the sum total of these attacks could seriously impact Internet speeds.

Of course, performance is the least of Krebs' concerns. He refers to a sucuri.net post that points blame at home router manufacturers for building vulnerable-by-default equipment. The flaw in IoT design is a topic of criticism from Constellation Research's Steve Wilson:

What's happening is we have this connectivity fetish, a religious belief that networking brings goodness, and it's blinding us to fundamental security principles like 'least privilege' and the need to know.

Wilson calls out IoT designers:

IoT designers have taken leave of their senses," Wilson adds. "They make IoT devices with open public interfaces (APIs). We give these devices public networking standards like WiFi and Bluetooth but we've given them no access controls or privileges management.

Wilson's right - though in the case of home routers, usually there are security measures that can be taken, but they require diligent/informed consumer action - not the right design approach. But what these quoted posts don't address is how enterprises should think about IoT security in the face of this news.

Four IoT security principles for enterprises

One similarity between hacking a router and hacking into an enterprise: enterprise security is only as strong as its weakest link. That's one of the issues I hit on with Volker Gerstenberger and Tomi Ronkainen of Giesecke & Devrient at the Liveworx 2016 Internet of Things event.

During our IoT security discussion, we hit on security issues enterprises should be tracking. Here's my revised list (see the original IoT security piece for additional detail, as well as a deeper podcast).

1. Address IoT security explicitly by design - don't adapt existing security. Ronkainen added that too often, companies think they can adapt their existing security for IoT, and, he says, “from our perspective, it’s falling short.” Designing for IoT security is a specialty unto itself; do not assume existing developers, designers and admins have the know-how.

2. Pay attention to all layers of IoT security to avoid a vulnerable entry point. Whether its healthcare or automotive or oil and gas, Gerstenberger acknowledged that all of them are grappling with the many layers of IoT security: the hardware layer, the software layer, as well as securing network connections, data in transit, and application data.

3. IoT security is only as strong as its weakest link, particularly on mobile devices. Gerstenberger seized upon a home sprinkler app example to show how mobile security can be compromised:

For any type of IoT service, or IoT interaction, we now demand an app for that. “Can I control that with my mobile phone, can I control it on my iPad?” All of that ultimately ends up being on this universal remote control that we are so happy using. But if we also have the digital car key on our mobile phone, if this sprinkler application is malicious or can be attacked, then it quite easily can spur into all the other domains that you are controlling with your mobile phone.

Needless to say, those mobile domains could include access to enterprise data and controls.

4. Complex machines like connected cars are the hardest to secure. G&T is heavily involved in connected car security, an issue that’s been grabbing plenty of headlines. I asked the guys for how we should be thinking about security in those settings, where the prospect of someone hacking into your vehicle remotely is very unpleasant. Ronkainen:

Now we are talking super complex environments. If you know Bruce Schneier who is one of the fathers of cryptology, and an evangelist of security things, he always said that complex systems are the most vulnerable because there is so many things in there, and things can go wrong. The connectivity is one case where we have started [with secure chips], but now we are working on more advanced security solutions including firewalls, intrusion detections, certificate management and key management systems for connected cars.

And, it goes without saying - no default passwords on purchased equipment.

Final thoughts

Enterprises can also learn from Krebs' recommendations for fighting DDoS attacks, which he views as a form of journalistic censorship. Krebs takes ISPs to task for not utilizing a twelve year old networking standard known as BCP38, which is a form of Ingress Filtering. As per Krebs, the use of BCP "prevents insecure resources on an ISPs network (hacked servers, computers, routers, DVRs, etc.) from being leveraged in such powerful denial-of-service attacks."

Gerstenberger and Ronkainen also expressed optimism about emerging biometric authorizations, which may help to bridge the gap between insecure devices and insanely rigorous passwords that discourage users. Of course, many IoT devices have no biometric considerations; they're intended to function without human UIs. But smart planning can still include failsafes that alert humans to potential breaches based on anomalies in data and performance.

Enterprises should take these sensational headlines with a grain of salt. But the core of the news is real, including rogue developers of ill intent, some of them state-sponsored. That requires a sustained vigilance of proper IoT design and threat detection. The tech press has moved on to Yahoo secretly scanning consumer emails for U.S. intelligence agencies, but enterprises would be wise to stay the course. Hammer out an IoT security approach you can adhere to across projects.

Lexology.com hits on a whole different can of IoT worms: employees' right to privacy as IoT guidelines lag behind, in Workers and Privacy in an Internet of Things. (Example: what are the limits to tracking employees' GPS whereabouts?). Employers will need fair and transparent guidelines, which won't be easy given the government's own policies lag behind the tech.

In his July 2015 piece, Beware the Internet of Things – it’s early, security sucks and the C-Suite doesn’t care, my colleague Den Howlett wrote, "We should all be concerned that the pace of these kinds of innovation is running ahead of the infrastructure around security." That holds true today.