Is IoT Safe for your Business?

Chris Bunch 1st November 2016

Back in January I wrote a post on IoT and the year ahead. I suspect the past few weeks’ activities have given IoT somewhat more press than my humble ramblings. Pretty much no one escaped the news that there have been some interesting new variants on the good old fashioned Distributed Denial of Service (DDoS), leveraging weak points in IoT devices around the world.

 

DDoS overview

Stepping back a moment, for the non-techies in the room, a DDoS attack does what it says on the tin, i.e. launches an attack on a service, such as a website, from a large number of different machines or devices with the intent of denying access to that service for normal users like you and I.

It’s a relatively simple type of attack – and logically makes sense. Why? Well, what’s arguably the biggest cause of DDoS? Legitimate human traffic just refreshing web pages endlessly…Next time there’s a “DDoS” attack – consider if you’re helping by checking every 2 seconds if Twitter is back up, 😉 This is the same reason why the Glastonbury (or whatever music festival of choice) site crashes when tickets go on sale – too many people trying to access it at once.

As a side anecdote, the advent of cloud of course makes scaling in the face of huge traffic demands possible and I do know some of our clients have used AWS autoscaling to get out of a DDoS attack – preferring to pay the cost to AWS, than have their web services be taken offline.

The guys at FortiNet reckon the earliest DDoS attack was in 1999, but either way, it definitely came to “household” prominence some years later when major organisations like Sony were embarrassed to have services taken down (Playstation Network in their case). The “Distributed” part of DDoS attacks was once commonly achieved using infected (typically unpatched Windows) machines at scale – creating a “BotNet” to be used at the command of the attacker, rather than the owner who would be oblivious that their machine was compromised. The ‘hacking’ group Anonymous brought to common fame the brilliantly named Low Orbit Ion Cannon (open sourced of course!) which make this a relatively straightforward thing to do (albeit caught out some newbies who didn’t realise they had to hide their own IP from the authorities….).

 

Mirai detail

With botnets a little harder to come by these days, if you’re technically smart and looking to wreak havoc, where do you look for your next attack vector? The new kid on the block: IoT devices. Gartner estimate we’re plugging in 5.5 million new devices each day, so the potential scale is incredible.

In this case when we say an “IoT device” we’re talking about any electrical device connected to the internet, e.g. an IoT kettle, a DVR, a security or web camera, or perhaps even a sensor in your factory.

Why are these perceived as easy to compromise? Because some devices ship with default passwords and people don’t change them….Where have we heard that before? Changed the PIN on your phone voicemail yet?….

Mirai and related similar IoT botnets do just that, they look for devices where default passwords have not been changed and where known firmware vulnerabilities exist. It’s not that complicated, and it’s made even easier by the code being open sourced

The maker of many of the infected Mirai devices has now put its name in the spotlight – it’s a little known, but large, Chinese electronics company and they’ve now issued a recall. The recall is going to be somewhat tricky, given their hardware is white labelled all over the place – take a look here and you’ll see Mirai traffic coming from Vietnam, Brazil, US and China amongst many others. That link also contains some interesting insights into the code, so is worth a look.

In fairness, “all” that’s really needed is for the end user to perform a firmware update, and to change the default password…. It’s fair to wager this will be done by a good proportion of people – but far from all. Do your parents know what firmware is?

Basically, where you’ve got cheap devices, you’ve potentially got cheap (or no) security. In some of the compromised devices, the passwords are hard-coded into the firmware, i.e. they can’t be changed without a patch from the vendor. In others, they can be changed, but that only changes the web interface password. SSH remote access may still be possible via the default password. Doh.

If you’re concerned about other known vendors with security challenges, take a look at Brian Kreb’s list here – but again, expect a lot of white labelling, so the end device name is hard to find.  

 

So, do I need to worry?

Well, only if you’re not secure…so if you’re not sure about that then then “yes, you should be concerned and act”. Otherwise “no, but stay vigilant”.

Either way, you need an IoT policy folded in to your standard security practices. E.g. you’ve mastered patching your desktops by now I’m sure, but does anyone look into security camera security? It might even just be outsourced to someone else. In the case of Mirai, you need to think about relatively simple measures including: patching, changing passwords, and making sure, via firewall rules, that remote WAN access is blocked unless specifically needed.

For broader considerations, there are some useful themes here to consider. Those lovely folks at Microsoft are helping the enterprise with pre-audited devices, and both AWS and Azure will ensure IoT traffic is encrypted if properly configured.

 

What’s next?

IoT remains a somewhat unregulated industry at the moment, largely because it’s a) new and b) incredibly varied.  Having said that, disasters like the recent Dyn attack have brought this to the forefront. Manufacturers will need to change and business practices will need to adapt.

Expect to see some regulation next year from major government bodies which will drive this further.

 

In the meantime, stay safe and as always don’t “assume” security – verify it and have active policies and processes to maintain it.