Billions of connected devices are already out there in the world. More are coming soon. And – like people and other resources – these entities can be employed for good or evil.
If that sounds like fearmongering, consider these recent statements from a few experts in the cybersecurity and networking fields:
“I believe that during the next presidential administration, we are going to see a massive cyber attack on infrastructure. I believe it is going to be of devastating proportions, and I think we are not ready for it.”
– Ed Amoroso, AT&T’s recently retired chief security officer, as quoted by Light Reading
“As the world becomes more dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Beyond the resulting economic losses and national security threats, our privacy, civil liberties, and constitutional rights – even the voting system that underlies our democracy – all become vulnerable.”
– the Commission on Enhancing National Cybersecurity’s “Report on Securing and Growing the Digital Economy”
“…the attack against Dyn largely mirrored an attack against Brian Krebs’ Krebs on Security blog last month, which raises the specter of criminals and nations being able to increasingly silence their critics, extort businesses, and wreak havoc on the online world, perhaps even at pivotal moments like during an election day.”
– Kalev Leetaru, senior fellow at the George Washington University Center for Cyber & Homeland Security, writing for Forbes
The Dyn and Mirai distributed denial of service attacks this autumn brought into stark relief the security vulnerabilities of so many connected devices today. In both cases, a wide variety of connected endpoints were commandeered to stage these attacks.
“What makes the attack against Dyn so interesting is the scale at which it occurred and its reliance on compromised Internet of Things devices, including DVRs and webcams, allowing it to command a vastly larger and more distributed range of IP addresses than typical attacks,” said Leetaru. “Making the attack even more interesting is the fact that it appears to have relied on open sourced attack software that makes it possible for even basic script kiddies to launch incredibly powerful attacks with little knowledge of the underlying processes.”
KrebsOnSecurity, the target of the Mirai attack, explained that this malware continually scans the internet for IoT systems protected by factory default or hard-coded usernames and passwords. When Mirai identifies such systems, it infects them with software that turns them into bots, which then report to a new central authority. This process can be repeated to create armies of bots that can then be used to overwhelm internet infrastructure in an effort to take websites offline or do other damage.
Reporting in October, KrebsOnSecurity said Mirai and Bashlight are two malware families being used to quickly assemble very large IoT-based DDoS armies. Rebooting devices can help them recover from such infections, KrebsOnSecurity said, but it noted that these systems can easily and quickly be re-infected after reboot given the constant scanning these malware programs do for vulnerable systems.
Of course, businesses can use services to guard their sites against DDoS attacks, said Jay Srinivasan, senior director of engineering at IoT platform provider Infiswift. However, he added, KrebsOnSecurity used such services, but the DDoS attack was so overwhelming, it was able to overcome this safeguard.
Another of the most commonly repeated tips on how to help people secure themselves and their devices from bad actors is to change the default passwords on their devices and avoid simple passwords like 123.
Some companies are developing IoT products that enable security by default rather than offering it as an option, said Srinivasan. It’s a good idea, he said, to make SSL the default instead of an option.
Having multiple layers of security by instituting two-factor authentication can also help better secure devices, he added. Srinivasan also noted that hardware-based Trusted Platform Module technology can be employed to store keys, rather than storing them in the flash storage where a bad actor could find them.
Another way to reduce the attack surface area, he suggested, is to make users turn on device features rather than shipping those devices with all the features turned on. By granting users of devices privileges to do only what they need to do and nothing more, he added, businesses can also reduce the attack surface.
Software-defined networking can also be used to address some security concerns, according to Brian Scriber, principal architect for security at CableLabs. It can do that by identifying compromised devices and quarantining those devices, he explained. That ability to be “surgically precise” in walling in one device from the rest of the elements in a network, he added, can enable the rest of a connected household to function even when one of the devices on that network has been infected, Scriber said.
Scriber is the chair of the Open Connectivity Foundation’s security working group, which with CableLabs aims to build a groundswell around security within the device manufacturer community. It’s also contributing to the Linux Foundation’s IoTivity effort to create a platform with common communication and security models that IoT companies can build upon.
The OCF early in 2016 came out with the OIC 1.1 specification, and currently it’s working on OCF 1.0, which builds on that. OCF 1.0, which is scheduled for publication early in 2017, addresses device identity, security for onboarding devices onto the network, device-to-device handshakes, managing credentials, data models, and device discoverability.
So, a fair amount of work has already begun to address the IoT security problem. But there’s a lot more work to be done, and those in the know suggest it needs to be done posthaste.
“The first generations of IoT devices – a billion in number – have already been deployed in homes, hospitals, and automobiles across the nation,” notes the Commission on Enhancing National Cybersecurity in its recent report. “Some devices are secure but most are not, as seen in recent attacks and in malware that exploits poor security designs, deployments, and configurations in devices. Weak security carries enormous safety implications. Moreover, privacy protections are frequently an afterthought in the design of these devices.”
That said, the report, which was published Dec. 1 at the behest of President Obama, suggested that “to facilitate the development of secure IoT devices and systems, within 60 days the President should issue an executive order directing [the National Institute of Standards and Technology] to work with industry and voluntary standards organizations to identify existing standards, best practices, and gaps for deployments ranging from critical systems to consumer/commercial uses – and to jointly and rapidly agree on a comprehensive set of risk-based security standards, developing new standards where necessary.”
The presidential commission that put together the report is headed by Thomas E. Donilon, a former U.S. National Security Advisor to President Obama, and Samuel J. Palmisano, the retired chairman and CEO of IBM Corp., along with representatives from IronNet, MasterCard, Microsoft, Stanford, Uber, and others organizations.
Mitigating and, where possible, eliminating denial-of-service attacks, particularly those launched by botnets, should be the first order of business, according to the report. Addressing attacks on internet infrastructure, including the Domain Name System, should be the second area of focus, the report suggests. The report also talks about the value of partnerships between countries, and between governments at all levels and the private sector, to encourage the creation and implementation of practices, policies, and technology to secure the digital economy.
But Amoroso, who now runs TAG Cyber LLC, said compliance regulations and information-sharing requirements will be useless in trying to address security issues, and that trying to figure out who is responsible for hacks is a waste of time and resources. Instead, he said, security experts need to alert their executives of the wide-ranging impacts of attacks and dedicate their resources to securing the infrastructure.
Edited by Ken Briodagh