When I was five, my parents got me a robot. Connected to a wired controller, I could move it back and forth, raise its arms, flash lights and plenty of other awesome things that would spark any child’s imagination. I loved that robot even though it sucked in a few different ways.
It made me want to improve it and I would dream of ways it could be better, like having it talk to other robots and machines (I was a tad too young for The Terminator at this point) or making it do things for me. Thanks to the internet and the advancement of robotics, my boyhood dreams are coming true.
We are at the dawn of this era and the Internet of Things (IoT) explosion is the foundation for this advancement. Sadly, though, we must take the good with the bad. As we make our lives more convenient with IoT devices, we must also take notice of the increasing cybersecurity threats and issues accompanying this evolution.
It Starts at the Development Stage
A while back, I wrote an article about how many popular apps had some serious cybersecurity flaws because while they were beautifully designed and engineered, security was essentially an afterthought. These developers failed to include security experts in the design and thus sacrificed this critical point, putting all of their users at risk.
Unfortunately, this issue is also rather pervasive in the IoT world. In speaking with several IoT developers at conferences and also one-on-one with developers who are looking to collaborate with me, there is an overwhelming assumption that the end user of the device will secure it themselves.
This may mean the developers assume that changing the password or putting it behind a firewall is something everyone is going to do. Nothing could be further from the truth! When it comes to security, a poor development strategy is a surefire way to end up on a list that shows the world just how easy it is to break into your device.
It Continues to the End User Stage
The IoT development community should never make the assumption that the end user is tech savvy enough, especially when roughly 60% of all Millennials have “low” technology skills! Most users just want things to work and to be as easy as possible. Unfortunately, developers build to this standard without much thought of how vulnerable this makes everyone.
Consider the average user for a moment. This person knows how to use their mobile phone to make calls, text/IM and run apps. They’ll have a Smart TV and can use Netflix and other streaming services. They run applications on their PC or Mac without issues. Odds are they’re using the wireless router their ISP has provided them. They’re happy as clams using the technology they love, until something goes wrong.
The average user cannot fully troubleshoot their own issues or have the knowledge to fully assess why their technology isn’t doing what they want. Combine that with insecure IoT devices they had no problem getting on their WiFi using all the default options and we’ve got a massive breeding ground for hacker malfeasance.
Now consider that 24 BILLION devices will be online by 2020 and we can start to see why this is a looming problem. With so many insecure devices out there, we’re literally sitting on a ticking time bomb and we’ve already seen some small test explosions.
IoT Devices Unite! …and Kill Your Target.
As a result of these development shortcomings, we have seen some major attacks in 2016 that are essentially the beginning of this issue. As more relatively insecure devices come online we will see larger and larger attacks unless something is done now.
In the fall of 2016, a new malware infection called Mirai began infecting hundreds of thousands of IoT devices, usually CCTV systems and DVRs, by finding them on Shodan, a search engine for open IoT devices (seriously go search to see if you’re exposed; I can’t recommend this enough).
Mirai would find these devices and test them using a list of default passwords. Once it found it could properly login, which it found A LOT, it would infect the firmware of the device(s), giving its creator complete control.
The creator did what is now known as the largest Distributed Denial of Service (DDoS) attack in the history of the internet. Using over 150,000 infected devices, the hacker was able to direct the combined bandwidth of all of the devices’ internet connections worldwide against various targets.
Brian Krebs, the security researcher, was hit first and knocked out after a valiant effort by his host to fend it off. Then the site OVH was hit and knocked out with levels of attacking bandwidth reaching 1Tbps in size. Dyn DNS was also hit which wreaked havoc with many popular U.S. sites and services like Starbucks, Netflix, CNN and more.
If only 10% of all devices were infected by 2020 then we would still have a 2.4-billion infected devices problem. We need to act now.
All of This Can Mostly Be Avoided
Mirai, as it was programmed, would have never been an issue if the default passwords on devices were changed. That’s it! Hundreds of thousands of infections avoided because someone thought to change a password. This is only the start of a good cybersecurity policy for IoT, but there is plenty more that can be done on both developer and user sides. Let’s explore some of the solutions that help protect many of the devices we’re all going to inevitably be using.
Point 1: Password Policy and Control
This is a tip for developers and users alike. Developers, I know it’s easier to just use admin/admin on the zillion devices you’re installing your OS/firmware on, but it’s not acceptable anymore. Instead, randomize the password based on the serial number of the device or another method that will ensure that every unit has its own unique UI access password.
Users, check your devices and never keep any default passwords. Also never use a password that you would use for other things like banking. If the IoT device has poor hashing of passwords that password may be captured by an experienced hacker.
Point 2: Use Proper Encryption
I can’t stress this one enough for developers. Encrypt the firmware in the system so it can only run when paired with the hardware it’s connected to. This will help prevent spoofing and needless access to the coding of the device.
If I cannot clone your firmware to see where the flaws are then your device is way more secure and the cost increase is mitigated by the marketing campaign you could have in advertising why you have safe IoT devices!
Point 3: Internal Firewalls Go A Long Way!
Developers, if your IoT device is configured to send traffic on specific ports then why not lock down the rest to prevent attack? You could even go so far as to find an intuitive way to create a network whitelist so only specific computers or devices can interact with your IoT device. Token authentication or a similar method would stop any remote hackers for getting easy access!
Point 4: Isolating IoT Can Limit The Threat
Like everyone else, I also have IoT devices, however, all of mine are on their own wireless network and separate from my computers and tablets. Further, I have enabled bandwidth control on that wireless network so the IoT devices will only get the exact bandwidth they need.
No reason to give them access to huge amounts of the bandwidth when they require well under 1Mbps each function properly. This way any hijacked IoT device cannot spread infections to anything else on my network nor am I giving a hacker access to the full amount of bandwidth I have.
Point 5: Make Smart Choices
Users, I know that having a frying pan that links to your mobile phone will really up your cooking game, but wait a bit if you can. Read the reviews, see what kind of security the frying pan’s makers have put into the pan.
After all, it’s not just about making the best scrambled eggs. It’s also about making the best scrambled eggs while preventing your frying pan from attacking targets on the internet. (Honestly, I never thought I’d write that sentence.)
So, developers, get to work! Create brilliant things but create them securely. Users, do your homework or ask for help. Let’s not help the bad guys with a lack of thoroughness!
LOCK DOWN YOUR NETWORK
FREE PENETRATION TESTING COURSE
- Social engineering
- Port scanning
- SQL injecting
- Anti-virus evading
- Client side attacking