The Internet of Things (IoT) is moving full speed ahead, with no signs of slowing down. Earlier this year, Gartner reported that 8.4 billion “things” will be in use in 2017. That’s up 31% from 2016–and it will create 8.4 billion vulnerability points if companies don’t take action now.
Gartner predicts that by 2020, 20.4 billion connected things will be in use. Greater China, North America, and Western Europe represent two-thirds of the overall IoT installed base in 2017, and the consumer segment is the largest user. But businesses aren’t lagging too much; in 2017, they’re expected to employ 3.1 billion connected things. That leaves the possibility of botnets, brute force, and injection attacks wide open for hackers to exploit. Experts advise vigilance and accountability to prevent and mitigate breaches.
Where the vulnerabilities lie
The most common vulnerabilities with IoT devices are injection issues, said Rob Clyde, CISM, vice-chair of ISACA. This includes everything from SQL injection in applications to overflow conditions in operating systems and host contexts. With IoT, these issues can wreak havoc for several reasons. For starters, device manufacturers may not have the infrastructure and processes to push out security patches as quickly as other types of vendors. In addition, some IoT devices don’t automatically update for vulnerabilities.
Brute force attacks don’t rely on the same types of vulnerabilities as software, according to Brian Martin of Risk Based Security. He said that IoT vulnerabilities stem from not implementing proper brute force attack protection, like account lockout or request throttling.
While BYOD attacks come from web browsers and operating system flaws, IoT attacks often are based in the vulnerabilities in a specific vendor’s code, Martin said. “Wrapping a web interface around a device will potentially open it up to common web attacks, such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection (SQLi), remote command execution, and the very common default credentials being present.”
That was the case with the Mirai botnet, said Pascal Geenens, security evangelist at Radware. However, the Hajime botnet exploited supposedly secure backdoors created by manufacturers in modems, along with default passwords, to infect devices. The backdoors are meant for service providers, but if they’re not managed, they can be abused by malicious actors, he said.
As IoT devices continue making inroads into the business world, organizations should have a defined IoT structure in place to ensure that data and operations are properly secured. These guidelines cover the procurement, usage, and administration of IoT devices, whether provided by the company or employee owned. Free for Tech Pro Research subscribers.
Preventing attacks with policies, personnel
Organizations may not have individuals responsible for keeping IoT implementations secure, but that’s a critical prevention step, Clyde said. “Make sure someone is assigned to watch for, and implement, patches or workarounds relative to IoT or other issues.” Ideally, the IoT devices should be automatically updated, but humans may be needed for updates. Clyde also recommends keeping an inventory of wirelessly connected, IP-connected, or other devices that may store, process, or transmit potentially sensitive information.
“It should also be noted that when vulnerabilities are disclosed by security researchers and patches are released by manufacturers, it doesn’t necessarily mean that users will immediately update, which can leave the devices exposed,” Geenens said.
Some basic steps can be enacted to prevent attacks: Change default passwords, update and check software and microcode regularly, and put devices that aren’t modems or routers behind firewalls or secure gateways. “There is generally no good reason to directly connect unprotected IoT devices to the public internet, except for modems and routers,” Geenens said. And just like with any other type of device, you should implement traffic-based anomaly detection or intrusion prevention systems on networks that have a lot of IoT devices.
“In my experience, there is no label for devices that have been designed with cybersecurity in mind,” Geenens said. Even the higher-end devices have backdoors and vulnerabilities–nothing comes out of R&D flawlessly secure.
Therefore, prevention also needs to extend into deployments. IoT devices should be on separate segments, and ideally, the network will be micro-segmented, Geenens said. That way, if the device is compromised, it won’t infect the rest of the network.
As for products, vendors that publish security vulnerability policies and clear instructions on who to contact with security issues are good places to start, said Jason Malacko, manager of security practice relationships and offerings at Logicalis US. If you’re looking to get technical, seek out support for secure protocols like HTTPS, SSHv2, and SNMPv3 with respect to authentication mechanisms, cryptographic cyphers, and key sizes used, he advised.
As IoT becomes more widely adopted, it will become more attractive to hackers–as has been the case with all technology. By acting now, searching for secure products, and implementing policies, businesses can protect themselves as they introduce connected devices to the organization.