Instead of constantly trying to 'fix' things, here's some great advice about how you can securely take advantage of the Internet of Things
The Internet of Things is made possible by continuing advances in chip technology leading to cheap devices that can be deployed to collect data, and effect changes to an environment. Securing these devices means recognising IoT devices as little different from any other networked computing device such as a laptop.
The nature of the threats and vulnerabilities faced by an IoT device will depend on the circumstances of device itself and the ever changing threat environment. By considering the likely vulnerabilities of the device, and the way that threat actors might seek to subvert it, we can design a suitable set of defences that will protect the device during its lifespan.
There are broadly two approaches for identifying the security requirements of an IoT system. Consider the issue as a technical question, with the devices comprising a stack of layers, each of which has its own security needs which can be addressed by applying knowledge of how to secure similar computing systems. Or IoT devices can be considered as an opportunity and target for attackers. Knowledge of the likely tools and tactics of the attackers who will attempt to compromise the devices can be used to specify the defences necessary to protect the systems.
IoT devices, as with any other computing system, consist of a stack of technologies running on top of one another. The layers in the stack comprise, the physical layer of the device itself, the operating system and firmware which allow the device to operate, the application layer of functionality on top of that, and of course the network layer which allows the device to communicate with other systems.
Each of these layers has its own particular set of security requirements and protections which need to be taken into consideration when planning the security of the device. Its important to remember that the most sophisticated cyber protection maybe rendered useless if the physical security of the device is not protected, and the device is stolen.
Devices installed in locations that are open to the environment may be exposed to extremes of temperature or water ingress and require a weatherproof enclosure. Devices in public areas may be tempting targets for theft.
For example, criminals in South Africa discovered that they could steal SIM cards used in the city’s connected traffic lights. https://techcentral.co.za/thieves-steal-sim-cards-from-joburg-traffic-lights/20075/ Although IoT devices may be inexpensive, components within a device may provide opportunities for criminals.
Defenders should consider the physical security of the IoT, physically protecting devices where necessary. The physical tampering or theft of a device should be able to be detected, with the device being able to be wiped of application software, data and access rights if required.
Inevitably, any system that includes software, will include vulnerabilities that will need to be fixed by the application of a software patch.
For example, CVE-2016-2148 is a vulnerability in BusyBox prior to version 1.25.0 which allows an attacker to execute commands on a device running the vulnerable software by interacting with the device over the network. https://nvd.nist.gov/vuln/detail/CVE-2016-2148 The vendor released a patch to resolve the vulnerability, but defenders need to be aware of the patches that are required for their IoT systems, and have a robust patching regimen so that vulnerabilities and their appropriate patches are identified and applied in a timely manner.
In some cases, it may be possible to apply patches to systems, either because a fix is not available to patch a vulnerability, or the affected device may not be able to be taken out of service in order to apply the patch. In these cases, it is possible to protect vulnerable systems by using an Intrusion Detection System (IDS) or Next Generation Firewall (NGFW) to filter network traffic to block attempts at exploiting a vulnerability.
If a device is connected to a network, sooner or later network based attacks are going to be directed against it. Properly segmenting networks so that IoT devices are on separate networks helps limit unauthorised access and exploitation of vulnerabilities.
For example, the Shodan search engine lists many IoT devices that are exposed to the public Internet with all the risks that entails. https://www.shodan.io/explore/tag/iot
Usernames and passwords are not an adequate or manageable solution for authenticating users or administrators to IoT devices. Similarly, usernames and password are poor for authenticating devices when they attempt to connect to other systems. The use of certificate based authentication or software defined networks ensures that only duly authenticated devices are able to access the services to which they are permitted.
For example, compromised IoT devices are able to conduct Sybil attacks, supplying fake data to analysis systems to fool them into making erroneous decisions based on incorrect data.
Vulnerable IoT devices may be compromised by attackers and used as a point of ingress within a network in order to conduct further attacks against other systems. Network administrators should consider IoT devices as any other networked computer and ensure that they are given as few network privileges as necessary to fulfil their function. This may require IoT devices to be only able to access a specially segmented network, or using software defined networking to ensure that IoT devices are unable to connect to other networked systems.
IoT devices fulfil a purpose by executing application code that utilises the functionality provided by the other layers in the device. Like any software code, it must be assumed that the application code will contain vulnerabilities that will require patching. Or, if patching isn’t possible, the device will require additional network protection, such as an IDS or a NFGW to prevent exploitation of the vulnerabilities.
The integrity and origin of any application will need checking. During the software installation process, code may become corrupted and will require re-installation. This must be able to be managed without the device crashing and requiring a manual reboot. Hence, some form of code management system should be available to facilitate this.
Despite best efforts, in limiting network access and protecting against exploitation of vulnerabilities, attackers may still be able to install and execute malicious code on an IoT device. In these cases, it is important to be able to identify aberrant behaviour from the devices through monitoring its network behaviour, and prevent compromised devices from contacting malicious command and control servers.
For example, the Mirai botnet was compromised of IoT devices compromised by attackers accessing devices through unchanged default usernames and passwords. Attackers installed malicious code on the devices to participate in launching denial of service attacks against targets of the attacker’s choosing. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
Adopting defences such as certificate based authentication, preventing or limiting access to external networks, and good network segmentation help prevent these types of attacks being successful.
Any computing device, able to execute commands and connected to the Internet presents an opportunity for attackers. Even if the device seems small and insignificant, spare CPU cycles and network capacity can be stolen through executing malware.
Behind every cyber attack is an individual, the threat actor, who is seeking to fulfil a goal or purpose. Different threat actors have different objectives, and different levels of skill. These skill levels may range from the unsophisticated who is only able to launch attacks using off-the-shelf tools supplied by a third party, to extremely sophisticated and well resourced attackers who are able to compile a bespoke attack against a target using an otherwise unknown vulnerability in the system.
The majority of threat actors are relatively unsophisticated and are likely to view an IoT device as a generic network connected device from which they can make money using a tried and trusted criminal business model. Typically, these attackers seek to compromise as many systems as possible, while expanding a minimum of effort.
Extremely sophisticated threat actors are few and far between. These attackers may be able to invest great time and effort in identifying specific vulnerabilities in systems. They may consider a compromised IoT device as a place to gain a toe hold within a network, where they can persist for long periods of time in order to conduct attacks against other more valuable systems. These attackers are likely to put much effort into seeking to compromise a small number of systems.
In any case, the goal of the defenders is to make the successful compromise of a device as difficult as possible. If a system is compromised, then the defender should be able to identify that quickly as possible, and to be able to respond as swiftly as possible in order to remove the attacker and prevent their future ingress.
Attackers may be motivated by idle mischief or the challenge of conducting an attack. Preventing IoT devices from being easily discovered over the Internet or indexed by Shodan helps prevents devices from being subject to attack. Such attackers tend to target the easiest or most tempting option, ensuring that your IoT systems are less easily discoverable than others helps to encourage attackers to target other systems.
In cases, where it is impossible to remain largely invisible, using strong encryption and certificates to ensure that only authorised systems are able to connect to each other, and ensuring that network traffic is not amenable to unencrypted analysis helps frustrate such attackers.
The majority of threat actors have criminal motivations. Criminals are aware how to make money from compromised devices through installing malware that can: steal CPU cycles, in order to crack hashes or mine for bitcoins; steal bandwidth, in order to participate in denial of service attacks; steal data, that can be stolen and resold to other criminals; or encrypt data in order to hold it to ransom and not restore it unless payment is made.
Securing IoT systems against unauthorised connections by good network segregation and management either through keeping networks physically separate from other systems, software defined networking or NGFW protection, helps prevents criminal threat actors from accessing devices.
If a device is compromised, then preventing the device from connecting to the command and control systems of the attacker means that although there may be malware on the device, the device is unable to receive the commands from the attacker in order to fulfil the goals of the attacker. Ensuring that connections to other networks are protected by firewalls that are able to block connections to known command and control systems, and recognise and block known command and control protocols prevents the malware from receiving additional malicious instructions.
IoT systems seem at first glance to easy to construct. This is true, but like any other networked system, the IoT needs protection against attack. Risk management processes such as ISO 27005 or NIST SP 800-30 are very useful tools to apply to identify the types of defences that IoT systems require in order to protect against the current threat environment. However, any form of reflection about the types of risks that the IoT entails is going to be better than none.
No single form of protection is likely to be sufficient, but a layered approach of deploying multiple different security systems can protect against even the most determined attacker and help give defenders the upper hand.