By Nate Lesser, Managing Director of MasterPeace LaunchPad
The Internet of Things (IoT) is made up of everyday objects built with the ability to sense, analyze, and communicate information about themselves and their environment. In smart homes and offices, these devices measure air quality, secure against intruders, and listen for verbal instructions to play music or order pizza. IoT devices are also deployed in industrial applications to do things like monitor the flow of oil through pipes, track public transit vehicles and control robotic arms on assembly lines. IoT even includes simplistic sensors that do everything from measuring temperature to counting how many times a door is opened or how many times a customer tries on a pair of shoes. There are already billions IoT devices deployed around the world, and most estimates put that number at 25-50 billion by 2020.
While the promise of near omniscience continues to fuel this rapid growth, IoT cybersecurity appears to still be an afterthought. The capabilities that would help protect IoT devices, and those that would protect the rest of the world from IoT devices, are severely lagging. This reality came to a head when hackers secretly searched for, found, and compiled a list of millions of easily hacked IoT devices. The unprotected devices were combined into a botnet dubbed Mirai, which was unleashed on the world in a massive Distributed Denial of Service (DDoS) attack that brought down some of the biggest Internet sites in the world. Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku, and many others were knocked offline for hours. Level 3 put out a report that explains in detail how the Mirai botnet worked.
The source code for the Mirai bots was subsequently released, allowing others to use the same technology to build their own IoT botnets. While the release of malware source code isn’t uncommon, it usually follows the widespread availability of a patch to close the hole the malware exploits. The fact that IoT devices are often difficult or impossible to patch, makes the release of the Mirai source code particularly dangerous.
One good thing about the Mirai attack was that it generated a lot of data from which we have learned a couple of very interesting things. First, the attack had little to do with the capabilities of the devices themselves, only their massive numbers combined could generate such traffic. Second, and most importantly, this attack was almost completely avoidable.
Most IoT devices were not designed to be secure, and their production reflects that. For example, most security cameras which became part of Mirai had hardcoded default passwords, so they were all operating with known backdoors. Certainly, the “build security in” crowd can find a lot of support in Mirai examples, but organizations that deploy devices with weak security bear significant responsibility for how those devices are used.
Had the organizations deploying the devices that were caught up in the Mirai botnet adhered to cybersecurity risk management best practices, much of the impact of these attacks could have been mitigated. When considering a new device deployment, organizations should consider the impact of an attack that causes a device to: a) misbehave; b) attack other parts of the enterprise; and c) launch attacks outside of the enterprise. In the case of utility or industrial IoT, these attacks could compromise critical infrastructure and endanger lives or harm the national economy.
Users can take steps to control their IoT environments following security best practices like changing device default passwords, connecting devices to secure networks, and enforcing rules about how, when and with whom IoT devices can communicate. The Cloud Security Alliance has also published guidelines specific to the securing of IoT devices. Their top five suggestions include the need to:
1. Design and implement a secure firmware/software update process for IoT;
2. Secure product interfaces with authentication, integrity protection, and encryption;
3. Obtain an independent security assessment of all IoT products;
4. Secure any companion mobile applications and/or gateways that connect IoT products to networks
5. And implement a secure root of trust for root chains and private keys on each device.
Unfortunately, many of these common security best practices such as secure roots of trust, network security, firmware updates, and even maintaining unique certificates are challenging to implement when it comes to IoT. Additionally, the limitations of many IoT devices makes their integration into enterprise security capabilities (e.g. network access controls, address whitelisting, key management) a difficult or impossible task. The good news is that many in the security community are hard at work on this problem – building the tools and services to secure the IoT.
About the Author
Nate Lesser is the Managing Director of MasterPeace LaunchPad, an advanced technology startup studio in Maryland, and has spent the last 15 years driving innovation at the nexus of technology and business. He has held technical and executive positions in government and the private sector. He works with cybersecurity technology builders, buyers, and investors to improve the efficiency of the innovation ecosystem.
Nate is a strategic leader, cybersecurity expert, and advisor to numerous startups and non-profits. He serves as a Senior Fellow at the George Washington University Center for Cyber and Homeland Security, a mentor at the Mach 37 cybersecurity accelerator, CEO at Cypient, and Advisor at Zuul IoT.