Red security button on the keyboard

InfoSec and the great IoT gold rush

Author: Sean Rosenberger

The IoT gold rush

Generally seen as taking off in 2009, the presence of the Internet of Things (IoT) grew at a furious pace with approximately 10 billion devices on the Internet by 2012 and double that figure by 2017.  The extent to which our society relies on connected devices continues to grow, with new applications arriving on the market daily as manufacturers rush to capitalize on this IoT gold rush.  Current estimates project the total number of devices to exceed 30 billion by 2020 and an aggregate market value in the trillions.

Challenges in securing the IoT

Security for connected devices has been compromised by a number of factors, one of the most significant being…us.  Most people who own personal computers have at least some concept of maintaining security.  On the other hand, virtually no one considers the need for security with regard to a smart washing machine, a DVR, or Internet-enabled garage door opener.  When that lack of awareness is combined with the tendency of manufacturers to pay short shrift to hardening the operating systems for this class of device due to a desire to bring innovations to market (and some of the same myopia shown by users), the result is a population of devices with a myriad of vulnerabilities.

Corresponding rise of threats leveraging IoT

Unfortunately, along with this proliferation of rapidly developed and often insecure devices comes an attendant rise in the frequency, scale, and effectiveness of coordinated misuse.   The practice of surreptitiously taking control over large numbers of connected devices and leveraging them in the aggregate to conduct various attacks is largely enabled by the pervasive lack of security intrinsic to these early generations of devices.  These groups of IoT devices, referred to as botnets, have already done significant harm in the form of massive DDoS attacks and the threat is growing.

Mirai

Mirai, identified in the summer of 2016, is malware that infects IoT devices running Linux by leveraging known default passwords.  Once infected, the malware proliferates by scanning for other devices with the same vulnerabilities and infecting them as well.

A botnet using Mirai was employed in September 2016 in a 620 Gbps DDoS attack on the “Krebs on Security” site along with a 1.1 Tbps attack on French web host OVH.  On October 21st 2016, DDoS attacks targeting Dyn (a DNS service provider) were launched using an estimated 100K IoT devices, severely impacting well known sites like Twitter, Netflix, Reddit, and many others.

Reaper

Called Iotroop by CheckPoint, the Israeli security firm credited with initial discovery, and redubbed Reaper by Netlab 360, Reaper is emergent malware with similar worm capabilities as Mirai and using some common elements.  However, it differs greatly in that Mirai exploited common default passwords whereas Reaper attacks several vulnerabilities in the operating systems of devices made by over a dozen companies and does so more quietly than Mirai.  Currently there are only 10-20K devices in the active botnet, but with greater than 2M devices infected there is potential for the largest known botnet to date.  Given the havoc wreaked by the Mirai botnets, this is cause for concern.

Path forward

So that’s the gloom and doom…what do we do about it?  The answer is complex but not impossible to achieve.  First, the manufacturers of these devices need to strive to integrate awareness of security concerns into their product development strategy via the inclusion of Internet security voices in their planning processes.  Second, they must develop and implement information security best practices in every stage of the IoT product development process and take purposeful steps to combat the known methods of exploiting product vulnerabilities as well as those that emerge in the future.  Finally, consumers must be made aware that many of our convenient devices are in fact computers not so different from our laptops and PCs, and that for them, like our laptops and PCs, security does matter and should be considered.