Cybersecurity and IoT: Where Do We Go From Here?
The proliferation of both enterprise and consumer connected devices has continued to pick up steam over the last decade. Everyone from Silicon Valley tech giants to century-old durable goods manufacturers are taking part in the trend that attempts to bring every aspect of the consumer and enterprise experience online. Some estimates suggest that the number of IoT devices will reach 24 Billion by 2020. Gartner predicts that over half of business processes will incorporate some element of IoT by 2020. However, if this “Internet of Things” is here to stay, which all signs seem to indicate is true, then we all have a reason to take a step back and consider securing not only our privacy, but also the integrity of our equipment, information and businesses.
Each new ‘thing,’ whether it be a network printer, thermostat, or IP-enabled camera, is a potential target to a hacker. At the most basic level, an intruder can use this an opportunity to do things like snoop on VOIP calls or intercept data sent to printers. However, with the addition of devices like IP enabled Heating, Ventilating and Air Conditioning (HVAC) systems, hackers are able to alter settings of sensitive temperature controlled environments, potentially damaging critical equipment or goods. The second, and ultimately more damaging IoT-related cyber threat is the harmful potential of connected devices. Each additional, poorly secured, networked device can be infected and used for coordinated attacks such as Distributed Denial of Service (DDoS) attacks.
Different Forms of Vulnerabilities
The core of why IoT security is of such critical importance starts at the device level. The devices themselves are potential targets with limited built-in security measures.
Password and User Access: While not always the case, manufacturers often set hardcoded or default passwords that remain unchanged by users. These passwords may even be consistent across all devices of the same model, while some devices may not even contain passwords.
Physical Security: Another key vulnerability is that many devices are left unattended by humans, leaving them open to hardware and software manipulation without the need for remote access. IoT devices do not support the same level of security due to resource and computing constraints.
Security Software Updates: For many IoT devices, vulnerabilities may be hardware or software related, which may be difficult for one to find and implement patches.
Examples of IoT Exploits
With countless vulnerabilities and a lack of security measures, nearly two-thirds of enterprises are estimated to experience IoT-related breaches by 2018. We now discuss some of the most common types of breaches that occur and potential consequences:
With many businesses opting for Voice over the Internet Protocol (VOIP), the possibility of security breaches is elevated, as hackers may be able to exploit configuration settings to avoid authentication. Other related attacks include VLAN hopping, Caller ID Spoofing (faking numbers etc.), and Voicemail hacks. Similarly, printers can be exploited and used to access sensitive information sent to the printer.
Smart Televisions, TVs that connect to the internet to stream content, represent vulnerable access points for information breaches. The Department of Defense (DoD) in a recent report identifies scenarios where a television could be used to record sensitive visual and sound information.
Utilities and HVAC systems are also vulnerable to tampering, which enables hackers to alter sensitive environments and put equipment, servers and other systems out of operation. IP-enabled thermostats can be easily hacked if they use default passwords or lack firewalls.
IoT security devices such as locks and alarm systems for doors and windows may also be vulnerable to hacks leaving both offices and homes at risk to intruders. In addition, doors equipped with sensors or other devices may not be as secure as one may believe.
While individual device breaches can be damaging, the greater IoT security threat, however, arises from coordinated attacks that leverage the computing capability of many compromised devices on different networks. One of the most popular is a Distributed Denial of Service (DDoS) attack. According to one cyber security firm, 51% of all companies have experienced an attack; 70% of victims are targeted more than once. DDoS attacks are the most common type of cyber-attack on financial institutions. The median size of DDoS attacks is also largest among financial intuitions when compared to all other major industry sectors.
A few types of DDoS attacks: The notion behind a DDoS attack is that it prevents a legitimate user from accessing a service by using up or otherwise rendering servers unusable. Below we break down the different ways botnets like Mirai use the computing power of many devices to take down networks and websites.
- Flooding or Volumetric attack: Sends traffic to congest the victim’s network so legitimate users are unable to access their accounts or make purchases online.
- Amplification Attack: Uses publicly accessible open DNS servers to overwhelm a victim with response traffic. Typically, attackers send lookup name requests to open DNS servers with spoofed target addresses that request as much information as possible, overwhelming the target.
- Resource Depletion Attack: Similar to volumetric attacks, resource depletion attacks employ packets that misuse network protocols or send malformed packets, which uses up network resources for legitimate users.
The first incidents of widespread and DDoS attacks occurred last fall. In September of 2016, Mirai, an open source malware that targets IoT devices running Linux, was used to attack cybersecurity blog Krebs on Security and Ars Technica, a technology news site. In October, Mirai was used in the largest DDoS attack ever, which took down numerous websites including Twitter, Reddit, CNN and Netflix for most of one day. The attack targeted the servers of Dyn, the company that hosts much of the internet’s Domain Name System (DNS). In November, Mirai was used again in an attack that took down Liberia’s internet infrastructure. This is not a new type of attack; Bank of America and JP Morgan Chase suffered costly DDoS attacks several years ago by a group called the European Cyber Army.
Mirai uses existing infected devices to scour the internet for the IP addresses of IoT devices. The botnet then infects vulnerable devices using a list of common default passwords and usernames. The malware goes untraced with the exception of a mild increase in bandwidth use. Infected devices can even remove competing malware and block remote administrative ports. Because the Mirai botnet has such a large number of devices, attacks are able to bypass anti-DDoS software that monitors whether or not there has been an abnormal level of activity from one IP address.
Breaking down Mirai
Along with its ability to target and gain access to IoT devices, the success of Mirai also rests on two novel attack techniques that allows the botnet to surpass firewalls and spread rapidly. These two techniques are referred to as DNS Water Torture and GRE IP and Ethernet Floods.
DNS Water Torture: One of several non-standard forms of attacks used by Mirai, this technique requires significantly fewer queries sent by the bot. The bot appends a randomly generated prefix to a well-formed DNS query. When the server fails to respond, the ISP’s DNS server retransmits to try another authoritative server of the target organization, effectively attacking the servers for the bot. This randomized prefix ensures that no immediate DNS server would have the name cached locally, so every query follows the usual path until it reaches an authoritative DNS server.
GRE IP and Ethernet Floods: Mirai used a (Generic Routing Encapsulation) GRE attack both with and without Ethernet encapsulation. Routers will typically pass along the GRE packet because it is widely used for generating VPN connections and allows large payloads to be processed. GRE allows for the creation of a point-to-point connection between computers that could be running two different internet protocols. This allows Mirai to spoof the inner packet and overload the server as it undergoes de-encapsulation. This process is done for every packet, from every bot, of which there are millions.
What is next?
The consensus among experts is that DDoS attacks are certainly here to stay as both the number of hackable bots as well as the level of sophistication among attacks continues to rise. Variants of Mirai including Linux/IRCTelnet and Bashlite show signs of potential threats. Linux/IRCTelnet is an Internet Relay Chat (IRC) that uses a file format common in UNIX based IoT devices. By actively using Mirai’s leaked IoT credentials list, the bot is able to conduct UDP and TCP flood attacks against IPv4 and IPv6 devices. The malware infected 3,500 devices in just 5 days. Bashlite is a more established malware that has infected over a million devices and can launch not only TCP and UDP floods, but also HTTP attacks.
Most recently, researchers have discovered an Android-based DDoS malware called Wirex with similar UDP flood capabilities. The botnet had embedded itself in a number of apps available on the Google Play Store.
The public sector has taken initial steps to address IoT-related cyber-security concerns by proposing the IoT Cybersecurity Improvement Act of 2017. The Act, proposed in the U.S. Senate, seeks to enhance security standards for connected devices used by the Federal Government by requiring IoT devices to be patchable, contain no known vulnerabilities, rely on standard protocols, and not contain hardcoded passwords. The Act, though it has good intentions, may have limited utility in mitigating DDoS attacks because targets often face the consequence of compromised IoT devices - regardless of whether they are in control of the devices themselves.
The National Institute of Standards and Technology (NIST) has addressed IoT cybersecurity in its Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. Unlike prior revisions of the report and the Act, the current revision addresses ways in which both the public and private sectors can address security issues. The NIST has acknowledged that IoT, while not “warranting unprecedented tools … widens the threat landscape and presents new challenges.” Early discussions by the NIST call for an IoT-specific security framework for federal use cases and a “framework-like” approach for developing an IoT document.
If the Act passes, it will serve as a warning signal for the private sector to dramatically expand on IoT security efforts. The act will also gradually cause device manufacturers to begin to implement standards across all of their devices. However, many manufacturers have a long way to go to enhance security measures that they have already implemented.
The rest of us have a both a collective and individual responsibility to mitigate IoT related security threats through the implementation of device-level and network-level mitigation techniques. McKinsey found that only 16% of experts believe that their company is well prepared for IoT related cyber security threats. Device-level security measures will protect your enterprise from data breaches or other asset compromises, whereas increasing the general level of security among IoT devices will provide fewer targets for botnets like Mirai.
Device Level Defense
Each connected device should be considered a potential threat to the integrity of the enterprise and its data. Without a formal security standard imposed on device manufacturers, the enterprise itself inherits the responsibility to maintain proper security measures, and also develop a procedure for managing the adoption and continued monitoring of devices.
- Passwords: Carefully consider the security methods used by the manufacturers of the devices and change all default passwords and user IDs on new devices to prevent direct breaches by attackers.
- Security Updates: Ensure that all software and hardware updates are authorized to help prevent infection from malware. Validation logic based on trust anchor or root may be provisioned into the device to determine whether to execute installation.
- Compartmentalization: In order to minimize the potential damage from an IoT attack, enterprises should create separate network zones for devices when possible in order to keep them away from critical network activities. Similarly, IoT devices should not be allowed direct ingress or egress connectivity to the internet through various content monitoring systems.
Certificates: Implement a Public Key Based Trust model, where devices are built with the trust anchor of a Certificate authority - which is more secure than a username and password.
Network Level Defense
IoT-related cybersecurity threats, as we have discussed, go far beyond the devices that currently are installed. DDoS and similar attacks have become both more common and more damaging with the growth of IoT and sophisticated botnet attack vectors. However, there are techniques that help enterprises mitigate the dangers of Botnet attacks.
- Monitoring: The first step in defending DDoS attacks is recognizing the initial signs by investing in monitoring technology to distinguish between normal network spikes and attacks, and by implementing effective incident response procedures.
- Coordination: Expanding monitoring efforts by coordinating with ISPs is an effective way to identify spikes in activity that could be associated with a DDoS attack.
- Intelligence: Recognizing DDoS threat is only a part of the defense; measures should be taken to develop an understanding of all potential threat vectors and the signs that one may be underway.
- Encryption: Signature-based firewalls and routers may provide good first lines of defense during impending attacks. In addition, Load balancers and cloud based anti-DDOs solutions may help absorb potential DDoS threats.
The Internet of Things has introduced a set of cyber-security threats that range from data privacy breaches to costly Denial of Service attacks. The public sector has begun to provide guidance and legislative input to attempt to mitigate potentially catastrophic information security threats. While a formal IoT governance framework has yet to be established for both the public or private sector, both small and large organizations have the responsibility to take ownership of their digital assets by carefully considering all hardware and software vulnerabilities, implementing ongoing monitoring and response programs, and developing an awareness of both current and future threats.
 Gens, F. "Webcast: IDC’s global technology predictions for 2016," IDC. 4 November 2015.
- The growth of IoT has been quite impressive over the last decade and is projected to grow at a similar pace over the next few years. Gartner indicates that the number of devices will surpass $20 Billion by year 2020.
- Cybersecurity practices lag far behind the growth in IoT leaving many consumers and enterprises at risk for privacy and data breaches as well as other exploits.
- The rise of IoT has provided fodder for crippling DDoS attacks by Mirai and other botnets that use sophisticated techniques to take over IoT devices, using them for coordinated attacks that overwhelm and ultimately take down servers.
- Enterprises should implement strict protocols for onboarding and monitoring of devices that ensure regular patches and updates, password management, and encryption.
- Strict oversight over the network through coordination with ISPs and utilization of defense software helps mitigate DDoS threats.