Jan van Vliet, VP and GM EMEA at Digital Guardian, examines the link between the Internet of Things’ (IoT) poor security track record and the recent growth of malware attacks on IoT devices.
An occasional series of vendor perspectives on the world of connected business – because it’s all about making new connections and starting new conversations.
The IoT’s patchy security record has long been a source of discussion in security circles, but the Mirai malware attack in October 2016 was probably the point where the rest of the world stood up and took note as well.
It was the first successful large-scale security attack on the IoT, using malware to turn vulnerable IoT devices into a botnet army capable of bringing down high-profile websites, such as Netflix, Twitter, and Reddit through multiple, large-scale DDoS attacks.
Mirai wasn’t a complex malware, it simply scanned big blocks of the internet for open Telnet ports on IoT devices and then tried a total of 61 default passwords in an attempt to gain control of as many devices as possible.
It was a worryingly successful tactic, with almost 400,000 devices connected at its peak – more than enough to do extensive damage. What’s more, it raised serious questions about just how easily even crude malware can take advantage of weak IoT security practices.
The Mirai malware attack sounds like a worst-case scenario, but the unfortunate reality is that a significant number of the IoT devices out there (Gartner predicted there were 8.4 billion in use in 2017, rising to 20.4 billion by 2020) are extremely vulnerable to this kind of attack.
In their rush to capitalise on the rapid growth of the IoT market in recent years, many manufacturers and vendors eschewed robust security measures in order to get products to market as fast as possible.
As a result, many devices today have default passwords and credentials, use insecure configurations, and are notoriously hard to upgrade. In short, they are incredibly easy to compromise.
The appearance of new, low-level protocol hacks, like KRACK, are also giving would-be attackers even easier ways to bypass and compromise IoT infrastructure and inject malicious code, or manipulate data found within vulnerable devices.
Doing so can have serious implications. For instance, if the devices need to sync with a cloud application, malicious code or manipulated data could be used to infect the cloud or send incorrect settings or actions back, with potentially devastating consequences.
Fortunately, IoT manufacturers and vendors are, slowly, starting to wake up to the security risks that come with inadequate device and infrastructure protection.
But with so many poorly protected devices out there already (and still in production), a comprehensive evaluation of security, from a variety of different angles, remains an absolute necessity before any implementation takes place.
Three key areas for IoT security
The following three areas should be thoroughly examined as a bare minimum:
Software considerations: Before installing any new device, it’s important to ensure that the manufacturer has adhered to strict software security practices from the outset, and not as an afterthought. Central to this is the ability to patch the device remotely, providing much-needed future-proofing against both cyber threats and software advances.
Hardware considerations: Physical security is another key area when evaluating new IoT devices. Something as simple as the inclusion of physical switches allows users to turn off certain features if required (such as a mute button for devices that feature microphones). Integrating tamper-proofing measures in components also greatly minimises the chances of them being accessed without permission.
Network considerations: Secure protocols like HTTPS should always be in place for any data exchange between the IoT device and backend management or storage solutions. Strong authentication methods are also critical and users should be prompted to immediately change any default credentials to strong alphanumeric alternatives on first use.
As with so many new technologies, manufacturers and vendors conveniently forgot about the importance of security during the IoT boom of the last few years. However, now that the honeymoon period is over and the threat posed by dangerous new types of malware, such as Mirai, becomes more prevalent, everyone needs to start taking it more seriously.
Basic security principles, such as those mentioned above, will go a long way towards defending against the threats out there. Fortunately, the industry is starting to realise this, but until better security practices become more widespread, a cautious approach to new IoT implementations remains imperative.
Internet of Business says: This opinion piece has been provided by Digital Guardian, and not by our independent editorial team.