A practical approach to fixing Internet of Things vulnerabilities

When the Mirai malware struck last summer it seemed to vindicate the predictions of those who warned us of our increasingly connected future. 

Mirai uses a tactic as old as the Internet itself – the tried and test DDoS attack – but via a new vector: the ever-increasing network of connected devices that make up the Internet of Things. Cue many lurid headlines about mankind heading blithely towards disaster, brought down by our too-trusting relationship with the machines.   

Everyone loves a bit of fear, uncertainty, and doubt, especially when it comes to new technologies. This explains why discussions of the Mirai botnet, and others like Brickerbot, have focused on the supposedly existential threat they represent, rather than on the much more interesting lessons it has to teach us about our approach to securing new technologies. 

Behind the fear lies a simple problem   

It’s easy to believe that new technologies and services must present a commensurately sophisticated threat. This seems to have been the case with Mirai and its cousins, with most of the discussion focusing on the potential damage – rather than the surprising simplicity and vulnerability of the virus itself. 

It’s often the way in the technology industry: we are reluctant to talk about how unsophisticated many of these threats really are - and this failure is doing a great disservice to our customers and to the wider world.   

The Internet of Things (IoT) provides fertile ground for this sort of mythology. It’s a relatively new concept, is becoming more and more embedded in every part of our lives, and is more talked about than understood by many end users. As a result, any threat that targets these technologies also preys upon our preconceptions, and makes it even harder to defeat. 

With apologies for spoiling the narrative, threats such as Mirai and Brickerbot are not all they’re cracked up to be, in terms of devilishness. That is in no way to downplay the harm that they have caused, though. In the space of a few weeks last year, Mirai was responsible for taking almost a million Internet users offline in Germany, affected 2,400 TalkTalk routers in the UK, and exploited vulnerabilities in 80 different models of Sony cameras. 

But look a little more closely at these tales of terror, and you’ll see one of the main causes for Mirai’s success. In the case of Sony’s cameras, one of the reasons for Mirai’s successful exploit was that the devices used a default (and highly unimaginative) username and password combination for the web-based admin console. Such simple vulnerabilities are meat and drink to every hacker. 

The real IoT threat is complacency   

Mirai is just the latest example of a relatively unsophisticated piece of software wreaking havoc thanks to weak security protocols and poorly-protected devices.

It’s not the first time (and certainly not the last) that manufacturers have rushed new products to market without considering their vulnerability to current threats. Unfortunately, time-to-market trumps such minor considerations as security, and we seem incapable as an industry to learn the lessons from previous exploitations of new technology. 

The Internet of Things is uniquely vulnerable, not because of its sophistication but because of its scale. The oft-trotted statistic of 20 billion connected devices by 2020 represents an enormous opportunity for hackers, especially when these machines are poorly-secured. 

In their report Understanding the Mirai Botnet, researchers commented that the virus’ design was “strongly influenced by the market shares and design decisions of a handful of consumer electronics manufacturers”, while also noting the “rampant” use of insecure default passwords for connected devices such as printers, routers, and security cameras. 

As we’ve seen with the Sony vulnerability, this means that businesses could be putting themselves at greater risk by investing in security technology itself. So in fact, the greatest threat to the IoT is not the hackers themselves, but complacency. 

Getting serious about security 

It’s tempting, at this stage, to start pointing the finger at those who have enabled threats like Mirai to thrive. In truth, however, we are all responsible for security: from the manufacturer to the vendor, the end user to the sysadmin. Everyone has a part to play in securing the Internet of Things that promises to bring us all so many benefits. 

From an industry point of view, we must obviously make sure that we plug the gaps and protect our customers (as Cogeco Peer 1 is doing with the launch of our AppArmor web application). But we must also do much more to educate businesses about the threats they face, such as the inherent vulnerability of devices that they are bringing into their wider networks.   

Obviously there needs to be a technical element to these conversations, but to get CEOs and business leaders sufficiently engaged to take this issue seriously, technologists need to frame the discussion in terms of corporate risk management, rather than an issue that can be isolated to the IT department.   

High-profile hacks can therefore be helpful in educating end users about potential security weaknesses, and highlight the need to ask the right questions of every vendor and supplier. This conversation is also critical for establishing procedures to reduce response times in the effect of any breach, which is one of the most effective ways of mitigating the effects of a breach or infection.   If there are three lessons that I’d like businesses to take away, they are: 

  • Ensure that you are fully protected from DDoS with actual threat mitigation, rather than just dispersal 
  • Review your application security measures, and test that the Web Application Firewall is examining every packet for malicious content 
  • Ensure you protect endpoint security with an enterprise-grade product that covers the widest range of virus and spam, keep them fully updated, and check them regularly to monitor performance. 

New security threats like Mirai can actually be beneficial, in the long run, by drawing attention to poor practices and complacency in our approach to security. So let’s not look forward to the connected future with fear, but instead focus our efforts on cultivating the knowledge and awareness needed to combat those who would take advantage of it. 

Susan Bowen, Vice President & General Manager, EMEA, Cogeco Peer 1 

Image Credit: Everything Possible / Shutterstock