Is IoT just too hard to secure?
Science fact and science fiction have a love/hate relationship. Count the number of times when the evil-doer hell-bent on humankind’s destruction is a computer or network. (Go ahead, I’ll wait, but it will take a while.) Fortunately, the ability to connect a random series of devices to launch a nuclear strike a ‘la Terminator is still fiction.
Having someone with the ability to take over more than one million webcams and DVRs to form a network with the sole purpose of creating chaos, now that’s science fact.
A Quick Recap
Ace cybersecurity journalist Brian Krebs attracts the ire of unknown attackers in mid-September. Said attackers construct a botnet of one million IoT devices, then launch the largest DDOS attack network security provider Akamai has seen – by a factor of 2x. All for the purpose of knocking Krebs’ website off the internet.
Two weeks later, the hacker responsible for creating the “Mirai” malware that allows the creation of botnets at scale, on the fly -- releases the malicious code into the wild. Mirai – ironically Japanese for “the future” - uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices, according to the US-CERT.
A month after the attack on Krebs, CERT issues Alert (TA16-288A) with advice on how to mitigate Mirai’s effect on devices – disconnect, reboot, and change the password – and how to prevent devices from being enslaved in the future. (Or by “the future” as the case may be.)
Two days later, an even larger scale Mirai attack is directed at internet infrastructure company DYN, effectively shutting off access in parts of the US to major websites such as Amazon, Netflix, and Twitter.
Once again the culprit turns out to be a legion of consumer devices, including routers , DVRs and webcams according to security management firm Flashpoint.
Frustrating? Yes. Dangerous? No. Not Yet.
Not being able to get into your Twitter feed may be frustrating. You may be disappointed to not be able to watch the final episode of “Stranger Things” on Netflix when you want. Those are inconveniences and that’s generally the extent of the Denial of Service attacks we've seen since September.
That’s largely due to the fact that consumer or light commercial grade products are at the core of the IoT as it stands today. So while CERT’s advice is helpful, it is largely misdirected. To state the obvious, most consumers do not know CERT exists, let alone read their bulletins and act on them.
Being consumer device focused today does not diminish the brazen nature or seriousness of the attacks. Quite to the contrary. These are early warning signs of what lies ahead and what keeps security pros awake at night. It should also serve as a wake-up call to executives responsible for providing the leadership (and resources) to address this new avenue of attack.
The potential now exists for large-scale attacks on the Industrial Internet of Things (IIoT).
The Industrial IoT
Just how big is the IIoT? GE estimates that global investment in IIoT will top $60 trillion (yes, with a T) in the next 15 years. By 2020, an estimated 50 billion industrial assets will connect to the internet according to an IDC report. Those assets include items like aircraft and many of their components (think engines), industrial pumps, motors, power generators and heavy machinery that represent both physical and fiscal risks if compromised by a malicious attack.
The Mirai attacks have been traced to two primary issues, one human behavior-related and one tied to security technology. The human factor comes into play when you consider many popular devices (webcams, DVRs, home automation controllers, media systems) have minimal security features that can be easily defeated or have default security settings that consumers never change. Think “password” as the password.
But the more serious are the security issues related to the technology that controls internet-enabled devices. IIoT devices are believed to be filled with code vulnerabilities. According to one estimate, 70 percent of all IIoT devices contain at least one serious code flaw. So real is this threat that the US Federal Bureau of Investigation warns that IoT devices pose an opportunity for cyber crimes against both individuals and businesses.
The November 2016 attack against Dyn is believed to have involved components from a single supplier that downstream manufacturers use in DVRs and webcams. The flaw can still be exploited even if the end-user changes the default password. In the words of Brian Krebs, these “mass-produced IIoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.”
Real World Risks
Linking millions of consumer devices is serious, but the fix lies largely in equipment makers strengthening internal security and consumers changing the default security settings during installation. Networked kitchen appliances may fill your email inbox with spam, but they are unlikely to cause physical harm.
Not true if hackers take control of Industrial-IoT devices. Manufacturing equipment, autonomous farm and construction vehicles, medical devices, commercial drones and other heavy commercial devices require far more robust security protections.
In a 2015 joint alert, the US Food & Drug Administration and CERT urged hospitals to stop the use of a popular brand of an IoT insulin pump because the device was vulnerable to a malicious attack. “Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.”
IIoT devices tend to be connected to the Cloud (or on-prem) and controlled by apps – an infrastructure that also contains vulnerable code and represents a large part of the industrial IoT attack surface. In fact an EDC study on the IoT estimates that 55 percent of developers connect via the cloud when creating APIs to control the devices.
That’s an attack surface that can be secured with the next generation of application security solutions. Protecting an application’s runtime in real-time using virtual containers, for example, means hackers can’t exploit known or unknown code flaws to take over an application and the IoT devices attached to it. There’s also the added benefit of being able to apply security patches virtually without taking the app out of production.
No matter what approach is used; the IIoT communities of manufacturers, software developers and users have a unique opportunity and a clear responsibility to devote special attention to security. The Mirai attacks on the consumer IoT prove we are vulnerable, but we still have the opportunity to build a more secure IIoT.
About the Author: James E. Lee is Executive Vice President of US-based Waratek Inc. He’s seen all of the Terminator movies - more than once. Contact James to learn more about RASP and application security trends at [email protected]