Vulnerabilities in IoT
As the phrase “Internet of Things” or IoT enters our cultural vernacular, many wonder what this new term means.
The Internet of Things
Simply put, IoT is the term given to connecting non-traditional devices to a computer network – most notably the Internet. Businesses have been connecting “things” to the network for a long time. Copiers, CCTV cameras, and even the occasional coffee machine are longtime residents of the Local Area Network.
As the integration of other devices and sensors propagates in many industries, it will become more common for bridges and roads, medical devices, body area networks (think FitBit), and even vehicles to join in the network. The benefits and possibilities of this new connectedness are virtually limitless, but as Information Security practitioners we ask the question, “How do you secure such devices from eavesdropping and malicious actors?”
Big Technology’s Growing Pains
In October, the Internet witnessed a massive Denial of Service attack – the largest in history – waged against Internet DNS and infrastructure giant Dyn. This attack took many major websites offline including Netflix, PayPal, Reddit, and Twitter. The attack also impacted or impaired many cloud services, including Amazon AWS.
After the dust settled, the tool used to perpetrate the attack was found to be a small, unsophisticated network worm named Mirai. That’s right, a worm. It was not too far from the technology that impacted MS-DOS and Windows 3.1-era computers. This attack demonstrated the immature secure posture of many of the IoT devices that now number in the hundreds of millions.
It has — rightfully so — raised serious concerns from both the FCC and congress.
Virginia Senator Mark Warner called the widespread use of insecure IoT devices “a threat to the resiliency of the Internet” in a letter to the FCC. Senator Warner’s letter goes on to state, “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.”
Whose responsibility is it?
Is it truly nobody’s responsibility to ensure the security of the devices that are connected to a network? In this age of hyper-connectedness and connected critical infrastructure, it is every business’ responsibility to secure and properly protect its digital assets. That extends to and includes IoT device manufacturers to maintain the responsibility to update and adequately equip their devices to be compatible with modern security protocols. If businesses demand improved accountability externally they should be willing to take the steps necessary to secure their assets internally.
There have been recent concerns of the security of Bluetooth enabled pacemakers, a published hack of Intravenous (IV) Medicine machines, and remote control of dams and other critical infrastructure.
Vulnerabilities exist far and wide within the IoT space. Taking reasonable controls to secure external access to these devices goes a long way to safeguard their use within critical applications. Simple steps such as requiring IoT application administrators to change default passwords and ensuring that, where applicable and able, IoT systems operate on separate network subnets that are only accessible through carefully configured gateways can dramatically reduce the scale and scope of IoT exploitation.
IoT is an exciting frontier of technology. The applications for sensing, control, and interactivity are virtually limitless. Incorporating tried-and-true security mechanisms and protocols from traditional IT into IoT can deliver a more successful and secure application.
CIT is an expert in Industrial Control Systems (ICS) and IoT security. We’ve worked to secure mission critical Ethernet-connected IoT applications using mDNS, QUIC, Aeron, uIP, TSMP, XMPP, ISA10.11a, 802.15.4, NFC, AND, OTrP, AMQP, IoTivity, RPM, and LPWAN. In the Industrial Control arena, we’ve worked with ICS systems and protocols from Allen Bradley to BacNet to SCADA to ModBus and delivered secure solutions to clients in power, utility, water, textiles, and defense industries.