The October distributed denial of service (DDoS) attack on Dyn DNS was one more in a series of attacks using botnets compromised by Mirai malware. This recent incident created a botnet of exploited DVRs and internet-connected cameras that impacted big-name sites like Twitter and Netflix — and prompted U.S. Senator Mark Warner to call for industry-led security standards for internet of things (IoT) devices.
In the wake of the attack, industry experts were called upon to comment on the implications of this (and future) DDoS incidents, and our own CTO Trevor Hawthorn and Chief Architect Kurt Wescoe were among those approached to share their thoughts and insights. Here’s what they have to say about the cybersecurity threats posed by IoT vulnerabilities and the measures manufacturers can take to mitigate those risks:
Trevor Hawthorn on the State of the IoT Industry
As the IoT industry matures, it’s safe to say we’re well past the “early adopter” phase and seeing broader development and deployment. While the prospect of a more established and stable IoT environment is exciting, we’re not there yet. What we are seeing is that the space is showing its youth, and along with it, its insecurities.
Many new concepts and technologies skyrocket to peak interest and popularity before all of the appropriate security measures are put in place. As the industry progresses, we’ll continue to see varying degrees of security and privacy postures within these products.
Kurt Wescoe on the Dangers of IoT Interconnectivity
A couple things are not obvious about IoT devices. First is the inherent side effect of the interconnection of these devices. The advantage of these devices sharing information is it allows us to do things we used to not be able to. For example, my scale and heart rate tracker both connect to a third-party cloud application, which also has an app on my phone so I can receive a more detailed picture of my activity. However, these chains of devices often mean a breach of one device can expose information in the entire chain. Your credit card may not be on your scale or health tracker, but if it’s stored in the cloud application or on your phone, there is the potential it’s at risk.
This is analogous to what we saw a few years back with Target. The security of your information is only as strong as your weakest link, and criminals more and more are showing they’re willing to put in the time to carry out sophisticated, multi-stage attacks.
Kurt Wescoe’s Advice for Enterprises
For a lot of these devices, not taking the right security measures is like having an unsecured server on your network. It’s not surprising to see that if you haven’t taken the steps to secure the IoT devices, you likely also haven’t thought about where on your network these devices live and what else they may inadvertently have access to.
We wouldn’t want an unpatched laptop with the admin account with no password that’s accessible from the internet on our internal network, but that can be what you’re doing if you don’t take the necessary steps to secure these computing devices. These devices have the potential to be used as part of a broader attack to access systems and exfiltrate data.
With regard to DDoS attacks, this is a case where an ounce of prevention is worth a pound of cure. There are a number of different technologies out there that can help you detect, mitigate, and recover from a DDoS attack. Ultimately though, when you’re under attack, your team needs to be able to think and react quickly. Have a plan that everyone understands and you’ve practiced. This means the team can focus on diagnosis and remediation rather than what the plan is and what should they be doing.
Trevor Hawthorn’s Advice for Consumers
I use several home automation and IoT devices — they make life easier as a consumer, and that’s why they’ve taken off in popularity. The biggest piece of advice I have for consumers is to keep in mind that the more devices we add to our homes, networks, pockets, cars, and lives, the more data we are exposing to attack.
For example, if your cloud-based security camera is compromised, an attacker could record everything said in your house. The solution? Use a strong (and unique) password for your security cameras and consider disabling audio recording. Log in to your account every now and then and note any unusual changes to your account or configuration (e.g., if audio is turned on again), and evaluate if you need the cameras inside your house or other sensitive areas.
Other IoT security tips to keep top-of-mind include:
- Always change the default password of your devices (if applicable).
- Use strong (and unique) passwords on any supporting cloud services accounts.
- Do not enable UPnP (universal plug and play) on your router or firewall unless you know what you are doing.
- If you are savvy enough to manually setup port forwarding on your router or firewall, consider limiting the IP ranges that are allowed access. For example, if you will only ever access the device from your work, only add your work’s IP address to your firewall.
- Update the firmware of your devices often. If the device supports auto-update, enable it. If not, check with the vendor’s website often or sign up for their newsletter.
- Think about what the device collects or what it has access to (e.g. video, sound, temperature, etc.) and then think about the worst-case scenario if that were to be available to anyone on the internet.
More IoT protection advice for your end users and their families
Kurt Wescoe’s Advice for Manufacturers
For organizations manufacturing IoT devices, it’s important that they strike a balance between ease of use and security. Manufacturers are being pushed to deliver more capabilities with longer battery life and a smaller footprint. The challenge is it takes processing power and resources to implement some of the protective measures.
I think these device manufactures can look to the past for help. While not to the same extent, endpoints, tablets, and phones all had similar resource challenges as they have evolved, and those manufacturers had to make decisions on what types of security solutions they enabled. For example, IoT manufacturers can look to how other device manufacturers have combatted the DDoS threat on endpoints in the past and figure out how they can apply similar measures within their devices.
Another challenge for manufacturers is that which makes us more secure often makes products harder to use. But forcing people to follow best practices is a great step that we need to see become ubiquitous. I’ve been impressed with devices that don’t come with default passwords and that require a USB connection to set up. If the device just works out of the box, people aren’t going to spend the time to set up security. But if users are required to go through a setup wizard and change the password we’re on the right path. Empowering the users to make better security decisions ultimately puts us all in a better place.
I do wish the device manufacturers were working on a way to integrate two-factor authentication into IoT devices. We’ve seen a lot of progress in the last few years with integrations with cell phones, and we’ve seen consumer services like Twitter and Gmail making it available to end users. This would be a good step forward for IoT devices that have more far-reaching consequences in the event of a compromise.
Trevor Hawthorn on the ‘Human Factor’
In taking a step back, the biggest IoT risks lie in four main areas: a brand’s ability to develop secure devices from the get-go, an enterprise’s focus on educating employees on the risks these products pose to their company, the ability of the user to securely deploy IoT devices, and the consumer’s level of knowledge on how to keep their personal information secure from malicious actors while using these devices.
As long as people are developing and using products, there will always be the “human” factor. People make mistakes, and are limited to the knowledge and experiences they’ve had when making judgement calls. When faced with a potentially compromising situation, the ideal outcome is that an employee has been trained well enough to deploy and use an IoT system while avoiding or minimizing the risk. There is no such thing as “zero risk,” so while we can apply technical fixes to technology, end users are also “patchable”— but each requires ongoing maintenance as part of an organization’s security awareness training efforts.