This New Year, every security professional is considering how to secure the Internet of Things (IoT) following major IoT botnets and other dangerous hacks. As the world of hyper connected things continues to grow, so does our attack surface. More importantly, with so much critical infrastructure relying on industrial IoT, it’s time we do something about its security.
Cybercriminals are becoming more sophisticated. Even if an IoT device isn’t their ultimate target, they’ve figured out how to crack the weakest link in enterprise security and exploit our IoT devices as a pivot point to the rest of our networks. Last year, there were likely hundreds if not thousands of enterprise breaches we did not hear about – and never will – as most companies fear open communication about security compromises. How many of those started because of weak IoT?
Off record, one CEO of a $1B revenue private software company shared experiencing an attack on his VoIP network. His company suffered a Telephony Denial of Service (TDoS) event, which froze operations until they wired a large sum to an offshore bank account. Events like these, while not always evident, are causing a lot of concern and paranoia, which is slowing down IoT implementations within large, distributed companies.
We wanted to hear from one of the most respected cyber security experts about not just general 2018 security trends, but those specifically associated with connected things, and tapped Corey Nachreiner, CTO at WatchGuard Technologies.
Nachreiner has been a frontline cyber security expert for two decades, and has written thousands of security alerts and educational articles, and shared a few important predictions and cautionary tales with us.
Prediction: IoT Botnets Will Force Governments to Regulate IoT Device Manufacturers
In 2016, the Mirai botnet showed the world just how powerful an army of IoT devices can be. Attackers used Mirai to launch successful, record-breaking DDoS attacks against a well-known security journalist, a European hosting company, and popular websites like Twitter, Reddit and Netflix. IoT device adoption continues to skyrocket, adding billions of new network endpoints every year. Attackers continue to target these devices due to their weak or non-existent security, both in development and deployment.
Attackers have already started improving on the Mirai source code, which translates to larger and stronger IoT botnets in 2018. For example, instead of relying on default credentials, the Reaper botnet actively exploits common vulnerabilities in IoT devices to hijack them. As these attacks continue to grow in efficacy, the damage they cause grows to match. Nonetheless, consumers still seem to purchase these cheap, insecure devices anyway, leaving IoT vendors to continue ignoring security. Until these vendors are incentivized or forced to add stronger security to their products, they will likely continue to push out cheap but risky devices. Be on the watch for a major IoT botnet attack in 2018 that finally causes governments to address IoT security.
Potential IoT device regulations will most likely affect manufacturers of consumer-grade IoT devices first, since the end users of these products don’t have the knowledge to secure their own devices. These regulations will likely mirror similar liability-oriented regulations in other industries, where the manufacturer is held at least partially accountable for flaws in their products. That said, we also expect governments to place even stricter regulation on industrial IoT associated with either critical infrastructure or life-sustaining devices.
Prediction: Expect Linux-targeted Attacks to Double in 2018 Thanks to IoT
Since Q4 2016, WatchGuard has published a quarterly Internet Security Report, which shares details about the malware and network exploits our products detect and block around the world, and the results of research done by the WatchGuard Threat Lab.
The growth of Linux attacks—largely targeting Linux-based IoT devices—was a recurring trend in many of WatchGuard’s 2017 quarterly reports. For instance, Linux malware represented 36 percent of the top malware in Q1 2017. In Q2, we saw an increase in network software exploits targeting Linux systems. Finally, research from our Threat Lab’s honeynet discovered many telnet and SSH attacks targeting Linux-based systems, similar to the Mirai IoT botnet.
“We will see a dramatic increase to attacks targeting Linux systems in 2018,” Nachreiner cautioned. “We suspect, and our research confirms, that criminals’ increased focus on Linux attacks is driven by their desire to target IoT devices. While IoT devices are technically diverse, a large percentage of them are inexpensive, embedded Linux systems with vendors often release with highly insecure defaults. We expect attackers to continue to take advantage of these insecure devices to fuel their botnets.”
Specifically, Nachreiner reported they expect Linux-specific attacks to double in 2018.
He also provided guidance for specific areas within IoT and IIoT:
For manufacturers of smart products in the IoT space:
Invest in secure development. When it comes to prevention, some of the most common IoT device vulnerabilities are low-hanging fruit. Unnecessary management access via Telnet and/or SSH and weak hard-coded passwords should be removed before shipping devices to consumers. Also, avoid unencrypted network communication channels.
Consider continued support through patches. Providing regular security patches for IoT devices is a great way to build trust with end users. Having a patching infrastructure set up before regulations start rolling in will put product companies ahead of the competition both in terms of compliance and consumer sentiment.
Be willing to work with researchers. IoT devices are a favorite among white hat security researchers for vulnerability assessments. Companies who manufacture IoT devices must be prepared to receive vulnerability reports from external researchers and be willing to work with them to resolve any issues in a timely manner. External researchers can often catch issues that were missed during internal security audits.
For companies using IoT devices:
Make a Plan. IoT devices are here whether you IT teams like it or not, so they need to plan accordingly. Similar to BYoD, IT leaders need to define a set of ground rules that cover what kinds of devices are allowed, where they are allowed physically, and how they are allowed to connect to the corporate network or parallel networks.
Protect your IoT devices. Attackers are going after IoT now more than ever, which means extra steps must be taken to ensure IoT devices are protected. Unfortunately, security software updates are rare in the IoT industry, which means devices may have unpatched vulnerabilities for an extended or indefinite period of time. IT policy should restrict both who and what network protocols are allowed to access IoT devices to reduce the attack surface.
Protect the rest of your network from IoT devices. As we know in security, no protection is perfect. This means eventually an attacker may gain control of one of IoT devices. To reduce the potential damage an attacker could cause from this foothold behind the network perimeter, isolate IoT devices on their own, heavily-restricted network, separate from the rest of your corporate network. This may require more work to create the policies between networks to allow your users to use the IoT gear. However, this extra work pays off security dividends if an IoT device ever gets compromised.
Investigate DDoS mitigation solutions. The end result from most IoT and Linux-targeted attacks is a giant botnet army, from which attackers can launch crippling DDoS attacks against unsuspecting victims. Massive DDoS attacks are unfortunately the new norm and enterprises should investigate potential cloud-based and appliance-based solutions to combat the threat.
Educate your employees. The first and last step to any security plan involves employee training. Provide companywide instruction about the potential risks that insecure IoT devices can cause both to your network and others if the device becomes a part of a botnet.
Finally, Nachreiner suggests every enterprise IT group establish and publish IoT deployment and management guidelines.
The opportunities to conserve energy, save money, develop competitive new products, and generally make home and work life better and entire cities smarter are intuitive and exciting to all of us who are passionate about the potential of IoT and IIoT.
But, those opportunities come with risks, and in order to minimize those risks, Nachreiner is passionate about sharing guidelines on how to plan, build and continually manage the IoT market based on solid cyber security policies, a security strategy and technology platform to protect everything, including IoT devices themselves and systems accessible through IoT endpoints.
Edited by
Ken Briodagh
