- REUTERS/Steve Marcus
The Internet of Things has been held up as the next big technology revolution that will lower business costs and make employees more productive, but it brings with it major baggage for corporate leaders.
Cybersecurity experts warn that IoT is one of the most vulnerable areas in corporations, and massive IoT device armies are one of the most effective ways to launch cyberattacks.
On Friday, a major attack took down a number of big websites such as Amazon, Twitter, and Spotify. Though it’s not yet clear if IoT was to blame, it is quite likely.
“We keep connecting more and more devices and security is just an afterthought,” said Ben Johnson, cofounder and chief security strategist for Carbon Black, a cybersecurity firm.
There will be roughly 24 billion IoT devices connected to the internet by 2020, according to a BI Intelligence report, which says that businesses will be the top adopters of these new technologies. That’s up from 10 billion in 2015.
But as Johnson explained, this growth in internet-connected devices is also bringing about an “explosion” in vulnerabilities, since a variety of IoT manufacturers shun even the most basic security practices. Their issues vary, from coding passwords directly into device software to using no or weak encryption, but the result is often the same: A device that can be hacked much easier.
A number of examples have popped up in recent years. Hackers at the Def Con security conference found nearly 50 critical issues in internet-connected door locks and solar panels, among other devices, in August. In 2015, two ethical researchers were able to wirelessly take control of a Jeep Grand Cherokee, resulting in a recall of 1.4 million vehicles.
The fundamental lack of basic security in IoT was on full display last month when a “record” distributed denial-of-service attack was carried out against the website of journalist Brian Krebs, which took his site offline for days. While the massive influx of traffic resulted in Krebs’ host kicking him off its servers, it seemed to be just the first in a new wave of major IoT-led attacks.
“DDos attacks like this are really just the beginning,” Johnson, who worked for the National Security Agency prior to his work in the private sector, said.
‘It’s a challenge for civilization’
- REUTERS/Dado Ruvic
The attack on Krebs was carried out by what is called a “botnet” of infected IoT devices. Put more simply, this network of infected devices is made a slave to an attacker, who uses software to automatically scan the Internet for connected devices that have weak security.
It’s not a closely-guarded secret as to how the botnet is assembled: Just a week after Krebs’ site was taken offline, the source code for the software that did it, Mirai, was released online – which means we can expect many others to use and improve upon the malicious code.
“Botnets can use these default credentials to harvest hundreds or thousands of bots to focus on a target in a DDoS attack,” Lamar Bailey, Senior Director of Security Research and Development at TripWire, told Business Insider. “The attacks are more successful because they come from a larger area and this makes them harder to mitigate.”
In other words, the use of a botnet – a distributed network of devices all around the world – makes it harder to stop an attack on a network, and it’s even harder to track down the person responsible. That’s especially true, Johnson said, when traffic is bouncing from a web camera to a thermostat and so on.
A large portion of the devices that were used in recent cyberattacks were cameras and digital video recorders made by a Chinese manufacturer, The Wall Street Journal reported. Others included routers and satellite antennas.
“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” Michael Walker, a program manager at DARPA, told The New York Times. “It’s a challenge for civilization.”
Right now, civilization seems to be on the losing side, as researchers with Akamai say as many as two million devices have been taken over by hackers. And since most devices are designed to be left alone after being set up, it’s almost impossible for an average user to know their device has been compromised.
“There was an expectation with PCs that you would upgrade them over time, but there’s not that expectation with your toaster,” Matthew Prince, CEO of CloudFlare, told Business Insider. “Consumers and businesses are trained to install all of these devices and never think about them again. So if there is a vulnerability, getting those vulnerabilities fixed is the real challenge.”
“The scope of attack surface is expanding,” said Ted Harrington, executive partner with Independent Security Evaluators, using a term for the different points where a hacker can gain access. “And not just attack surface, but the scope of vulnerable attack surface is expanding exponentially.”
Protecting the enterprise from the IoT onslaught
- Paul Szoldra/Business Insider
An average consumer might worry about an IoT device like their home baby monitor or webcam being hacked, but an enterprise has even more to worry about.
“It’s a lot more than just DDoS that we should be concerned about,” Johnson said. “For corporations and enterprises, there’s really both angles. There’s how do you defend against DDoS, and then you have to ensure your own devices are not contributing to the problem.”
It’s clear that more botnets will be used to hit corporate targets down the road, so Johnson says it’s a good idea to move critical infrastructure to the Amazon or Microsoft cloud, for example. The move would distribute resources across many servers – the defensive equivalent of what cyber attackers are doing when they use thousands of devices to attack a target.
“The challenge is that, short of using some sort of infrastructure like Google’s infrastructure or CloudFlare’s infrastructure, it’s difficult for even a larger business to sustain themselves from these attacks,” Prince said. His point was bolstered by the example of attack on Krebs’ site, which resulted in his host Akamai removing him from its servers (Krebs didn’t fault the company for this decision, since it was hosting him pro bono).
Then there is the idea of what Johnson called “network profiling” for vulnerable devices within an enterprise. The one bright spot, he said, was that IoT devices are predictable in their behavior – calling back to one server of the manufacturer, for example – so it’s pretty easy to find they have been compromised if they start connecting to something else.
“That gives hope to IoT,” Johnson said.