For several years, the IoT has enjoyed meteoric growth, with recent figures putting the number of IoT devices out there today at over seven billion and rising. But as with so many areas of technology, the bigger the IoT gets, the more it has become a target for cybercriminals. While this is nothing new, the amount of success criminals are having - particularly with malware attacks - is starting to raise questions. Perhaps the most high-profile attack to date was the Mirai malware in late 2016, which successfully turned hundreds of thousands of Linux-based IoT devices into a botnet army. This army was then used to launch a series of highly disruptive DDoS attacks around the world. More recently, security analysts have been uncovering an increasing amount of cryptocurrency malware, as hackers explore the plausibility of exploiting IoT devices for financial gains.
As the volume and variety of attacks against the IoT continues to rise, the biggest question it raises is why? Unfortunately, the answer is simple; the vast majority of IoT devices contain little, if any security measures to protect against them. This article will look more closely at why that is and explore what needs to change if IoT security is ever going to improve.
A new breed of malware
The simplicity of most IoT devices has forced cybercriminals to rethink their approach. Due to their nature, very few IoT devices hold meaningful amounts of sensitive data on them, rendering things like traditional ransomware redundant. Instead, attention has turned to how malware can be used to enslave IoT devices (e.g. Mirai) or lock out users, preventing them from performing their intended purpose. While the latter may seem fairly innocuous, when considered in the context of IoT devices now being used as pacemakers, or to control medication doses for hospital patients, the consequences can be deadly.
The IoT’s past is to blame for its current predicament
As briefly mentioned above, the reason why so many of these attacks are successful is down to the IoT’s poor security track record. So how did we get here? Again, the answer is simple. As the popularity of the IoT exploded, manufacturers and vendors rushed new products to market in their droves. Unfortunately, device security came a long way down the list of priorities for many of them, often being treated as little more than an afterthought. As a result, the vast majority of IoT devices out there today use default credentials and passwords, have insecure configurations and protocols, and are notoriously hard to upgrade. In short, they are all too easy to compromise. Further worsening the situation, the emergence of low-level protocol hacks like KRACK are creating new ways to compromise IoT infrastructure and inject or manipulate data, creating serious implications for devices that synch or receive control messages from a cloud application.
A new, security-first approach is needed
In the face of this growing threat, manufacturers and vendors need to wake up and start implementing more robust security measures into all IoT devices, with a focus on three core areas:
- Adopt modern software security standards: Any new device coming to market should strictly adhere to modern day security practices, such as built in password protection that forces users to change the default password upon purchase. New devices must also include after-sales software support and include the ability to remotely patch or update it as/when needed, futureproofing it against new forms of malware.
- Build robust, tamper proof hardware: Physical security is another major consideration for new devices. Simple things like the inclusion of physical switches that let users turn off features they aren’t using, like a microphone mute button, prevents unwanted eavesdropping. Integrating tamper-proofing measures into the device’s physical construction also means anyone with direct access to the device can’t compromise it or decode information without permission.
- Use secure network protocols: Secure protocols such as HTTPS must be in place for any data exchange between IoT devices and backend management or storage solutions. Strong authentication methods should also be used to prevent fraudulent access.
In the early days of IoT devices, manufacturers brushed over established security conventions in their rush to get new products on the market. The net result is a rise of malware designed to exploit these vulnerabilities, and unfortunately, it’s often consumers who are paying the price. But it’s not all doom and gloom - there are steps end-users can take to help reduce the risk including:
- Give your router an unusual name – cybercriminals can use the name your router came with to identify its make or model and gain access to your devices.
- Occasionally reset your router – security experts recommend resetting your router to help prevent cybercriminals from using VPNFilter malware to collect and exploit your information.
- Change default user names and passwords – the standard usernames and codes for common devices are well-known and can be used by hackers.
- Check default settings for unnecessary features – many services activated on IoT devices, such as remote access, pose unnecessary risks, if you don’t need them.
- Create a separate network for guests – visitors and friends can log into a separate Wi-Fi account without gaining access to all your devices.
- Use two-factor authentication – many apps and devices offer an additional level of authentication, such as sending a code to your phone, that can add protection.
- Update software and firmware – update as soon as you receive a notification – your device may need an improved security feature or a patch to fix a security flaw.
While there’s no way to go back and improve security in the millions of IoT devices already out there, better implementation of modern security practices in new devices will go a long way to mitigating the issue. Then as older, less secure devices start to reach the end of their lifecycles, we should start to see IoT security improving as a whole.
Jan van Vliet, VP and GM EMEA, Digital Guardian