There are resulting challenges ahead in IoT security arena. Gartner predicts that over the next two years more than half of IoT manufacturers won’t be able to contain weak authentication methods, which can pose a data risk. They estimate that “by 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.” Last April they projected security spending on IoT will approach $350M this year – nearly a 24% increase from last year, but this may not be enough.
Appropriate tactics will be a key element in the security battle. A recent Forbes article covered the topic of IoT security, advocating “strict regulatory standards,” the need to “enhance security while simplifying compliance” and implementing “an end-to-end approach that integrates both IT and operations technology (OT).”
Let’s look at some best practices to address the concepts of authentication, data privacy and botnets:
Devices which must authenticate against other systems (generally in order to access or transmit data) should be configured to do so securely, such as with unique IDs and passwords. It may also be possible to implement encryption (SSH) keys to provide device identity to permit it to authenticate against other systems (securing the keys themselves is obviously a critical priority for this model to work). Examples of IoT devices with this capability can include closed-circuit TV (CCTV) or DVR devices and satellite antenna equipment.
In other instances, device SSL certificates can be issued during the manufacturing process or added later to establish device identity and facilitate the authentication process. The concept of building security into the device from the outset is an important concept for IoT manufacturers to consider, so that a careful consideration of possible vulnerabilities or flaws is factored into the design process. Some examples of IoT devices which can use SSL certificates are the Amazon Web Services IoT Button, smart meters and home energy management devices.
When it comes to device updates (software and firmware, for instance) authentication should be employed where possible to ensure these can retrieve code only from approved systems, such as internal servers or authorized devices.
Depending on your IoT devices, researching and implementing the capabilities above (if not already) present would be a good first step in security.
IoT devices can use hardware-based trust anchors, also known as “roots of trust”, which utilize a trusted boot process to ensure devices operate in a known secured state and their contents remain private. It’s also possible to defend against untrusted software attacks by isolating code in different hardware locations so they cannot access secured resources.
Whether data is moving or at rest, it should be encrypted to protect the contents where possible.
IoT on-chip memories can protect data from being accessed or stolen by utilizing cryptography to encrypt or decrypt information. Communication between IoT devices and other systems should be secured via encrypted links using protocols such as TLS (Transport Layer Security), which is commonly used with web browsers such as when conducting financial transactions. TLS can prohibit “man in the middle” attacks whereby data in transit is captured and analyzed for confidential material.
It’s also a good idea to isolate data so it’s only available to systems which need to access it. Using firewalled networks with only the requisite systems is one such example.
Internet of Things (IoT) devices can be at risk from botnets (also referred to as “thingbots.”) A botnet is a privately-harnessed group of systems controlled via malware (which has previously infested a device). Botnets are often utilized to mount distributed denial of service (DDOS) attacks intended to incapacitate or cripple target systems, for purposes of revenge, extortion and calculated disruption.
One such example is known as the Mirai botnet, which launched large DDoS attacks earlier this year on Imperva, KrebsOnSecurity and Dyn (which affected Twitter, Spotify and other sites). Mirai source code was leaked publicly and Imperva researchers analyzed it to understand Mirai better. One of the results of the research was the development of a scanner that can check whether devices on a network are infected by or vulnerable to Mirai malware. This scanner, currently in beta mode, can be found here.
Here are some recommendations for protecting IoT devices from threats posed by botnets: For device owners: “Be careful of what you connect to the internet. Are you sure it needs to be exposed to the entire world? If not, put it behind your router, and in the settings do not do port forwarding to it, or limit its access…Change the default password that came with the device to a hard-to-guess one,” said Ben Herzberg, security research manager at Imperva.
Travis Smith, senior security research engineer at Tripwire, commented that updates on IoT devices can also pose a security risk:
“Most devices are running on some variant of Linux, which can be outdated and highly vulnerable before the device is even released. Even if a vendor releases an update, there are no guidelines on how to handle the update. Some vendors automatically install the update on the devices as it is released. However, the majority of devices either never release any security updates, or fail to notify the owner of the device about the update. End-users need to be vigilant about finding out which devices they have installed and continually check for updates from the vendors.”
For organizations: “Due to the increase in IoT devices, it’s easier for attackers to generate massive DDoS attacks. Therefore, it is important to plan for such attacks, and make sure that the attacking traffic is mitigated in the cloud before it reaches your organization,” said Herzberg.
Tim Matthews, Vice President of Imperva, stated: “Securing IoT devices will require both better education of consumers, and security by design on the part of manufacturers. Ideally, security companies and device manufacturers would work together to create standards for credentials and access akin to a UL compliance seal.”
The Internet of Things Security Foundation also seeks to address these concerns by providing best practices, tips, and news updates to help companies and consumers stay abreast of security hazards. If you own or administer IoT devices, I recommend visiting their page regularly to stay informed about new developments in the IoT security landscape.
Update: A video was added to this article on April 11, 2017.
Hackers attempt DDoS attacks on Clinton and Trump campaign websites using Mirai botnet
Source code of Mirai botnet responsible for Krebs On Security DDoS released online
How the Mirai botnet almost took down an entire country, and what your business can learn
Aerohive’s new IoT security solution could have blocked Dyn DDoS attacks, company claims