To hunt prey, predators must first scope out the target’s surroundings and everyday activity— something cybercriminals are all too familiar with when it comes to hacking connected/IoT (Internet of Things) devices in the home. While it’s tough to pinpoint which specific devices are the least secure, hackers are clearly targeting a specific segment of products more than others: mass-produced, consumer, seemingly “innocent” gadgets. In the past year alone, we’ve seen attacks on smart teddy bears, doorbells, and even fish tanks. These types of common, everyday household items are primarily designed with convenience or style in mind, while security is often an afterthought. Attacks on IoT devices in the home can not only lead to invasions of personal privacy, but ultimately impact communications service providers (CSPs) and IoT vendor.
Picking off the weak
In the recent Satori IoT botnet cyber-attack, we have seen a rapid evolution in sophistication of attacks where — instead of run of the mill known vulnerabilities— a zero day attack was used for penetration of IoT devices. The attack managed to “zombify” some 500K-700K Huawei routers, opening them up to be used as the attacker pleases (Botnets, exposing the vendor and household to ransomware crypto-mining and many other exploitations that can benefit the attacker and severely impact both consumer and vendor). In Finland, a DDoS IoT-based attack held several residential complexes hostage without heat until a ransom was paid.
Attacking home IoT devices is like shooting fish in a barrel for cybercriminals. If these devices aren’t properly manufactured with baked-in security, not only does it increase the privacy and personal safety risk to consumers, but it can also become costly for the IoT device vendors and manufacturers left to pay ransom and replace thousands, if not millions, of compromised devices (not to mention the reputational damage to the vendor). With little effort, cybercriminals can achieve big gains.
Contributing factors that lead to devices unwillingly participating in breaches vary. If a device hasn’t been updated or properly manufactured, cybercriminals can sniff out the weaknesses. For example, the Reaper attack that created IoT botnets used nine known weaknesses, some of which had been around since 2013. By not updating IoT devices or personal passwords, consumers are practically inviting cybercriminals to hack into their systems. The challenge is that most consumers won’t bother or don’t know how to update their connected devices’ firmware to protect them from the latest sophisticated attacks. And many are simply unaware of the necessity of practicing good password habits.
Fighting off the cybercriminals
To defend the IoT device herd on the home network in a comprehensive and effective way, service providers should develop a layered security approach that is consumer-friendly yet cost-efficient. This approach should include Customer Premises Equipment (CPE)-based IoT Security, which provides security automated, machine learning based, policies for every connected/IoT device in the household, combined with mechanisms designed to safeguard the CPE and the home network preventing zero day penetration to the CPE and securing against attacks moving laterally within the home network from device to device. The biggest challenge for service providers is to provide an enterprise-grade security solution that protects against the most sophisticated of attacks, yet requires zero knowledge or intervention from the consumer – all while maintaining a sensible consumer price point and a deployment mechanism that facilitates rapid mass distribution and user engagement.
As the volume of connected devices explodes, they become easy prey. Cybercriminals thrive off the increase of vulnerable IoT devices in home networks due to the lax security and potentially high reward when exploited. In order to provide proper protection, service providers, manufacturers, and vendors must provide both preventative and reactive measures across the entire IoT ecosystem. A robust security solution requires a holistic approach and must be delivered through the network. CPE-based IoT security combined with zero day CPE protection and home network security offers an effective, layered approach to tackle the evolving attack surface, and will give savvy service providers an edge over the competition. Every fight brings a challenge, but every challenge brings an opportunity.
Edited by
Ken Briodagh
