Strengthening IoT Security

The IoT Threat

The Internet of Things (IoT) is growing rapidly with each new product cycle and presents serious cause for concern with regards to information security.  Over the last several years IoT devices have been regularly targeted by malware and leveraged to create massive botnets capable of wreaking havoc across the internet.  In late 2016, malware known as “Mirai” spread like wildfire by taking advantage of popular webcams and routers that were configured with default usernames and passwords.  The Mirai botnet eventually was able to command a reported 1.2 Tbps attack strength (the largest in history until this week) to target and bring down major sites including Twitter, CNN, The Guardian, Netflix, and Reddit.  Cybersecurity software firm Imperva performed an analysis of a previous Mirai attack that consisted of roughly 50,000 infected devices with unique IP-addresses spanning 164 countries (out of the 195 countries recognized by the UN).  Earlier this year the Satori botnet (another Mirai variant) was reported to have been active on nearly 300,000 devices, a number achieved through the malwares ability to function as an IoT worm.  Presently IoT botnets represent a high-level threat capable of not only disrupting service but also of causing significant harm to the financial sector, critical infrastructure, and personal privacy.  The security implementations and practices associated with IoT devices directly impacts the likelihood of botnet creation and therefore must be prioritized accordingly at both the design, manufacturing, and user levels.  The security flaws that make IoT botnets possible can also be exploited on any given individual device for a number of purposes (data exfiltration, backdoors, etc.) all of which result in significant risks to the end user.

IoT Vulnerabilities

Weak credentials merely represent a single avenue for the exploitation of IoT devices as there are many existing security deficiencies due to the rapidly evolving nature of the technology market.  Vendors are frequently pressed to release devices quickly and risk losing valuable market share should they take extra time to streamline products.  Extra time spent in development could mitigate security risks but this stage is often bypassed as security flaws are not typically viewed as problematic until they are exploited.  This results in devices that function as advertised that are inherently vulnerable.  Common issues include:

• Weak default device credentials
  • i.e. admin/admin – admin/password – password/password
• Lack of secure firmware / infrequent patching
  • Even when firmware updates are available many users aren’t aware of how to update devices
• Lack of or weak device encryption
  • Even if devices have strong credentials, device communications and data are often left unprotected
• Poorly designed hardware 
  • Hastily designed hardware often prioritizes “fashion over function” and can be easily manipulated/modified

Best practices for IoT Security

The implementation of security best practices can significantly decrease the viability of IoT attacks and provide millions of consumers with safer products.  Persistent actors will certainly continue to possess the capabilities to compromise devices regardless of the security implemented, but improvements in current standards may help change the common notion that IoT devices represent low hanging fruit.  An approach that utilizes defense-in-depth could accomplish this through implementation of the following practices:

• Enforce strong authentication
  • Increase the complexity of default device credentials and enforce two-factor authentication where appropriate
• Implement automated, secure firmware patching 
  • New vulnerabilities are discovered everyday, automating the patching process would allow for increased security
• Utilize enhanced device encryption for communications and device data
  • Strongest encryption possible should be implemented as appropriate per the device
• Minimize device bandwidth strictly to what’s necessary for critical operations
  • Lessened bandwidth decreases the ability of devices to contribute effectively in a DDoS attack and minimizes the threat of amplification
• Manufacture hardened hardware 
  • Protection of non-critical ports and reduction of the overall attack surface reduces threat capabilities

The Future of IoT

A day is fast approaching where nearly every critical device relied upon in daily life will connect to the internet.  Security of these devices must be made a top priority in order to mitigate threats that will only grow more significant in time.  As threats continue to evolve the further development of security best practices is crucial and cannot afford to be minimized.

SOURCES

• Bleeping Computer, https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/
• DHS, https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
• IEEE, https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf
• Imperva, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
• Stratfor, https://worldview.stratfor.com/article/how-many-countries-are-there-world-2017
• The Guardian, https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet