Mirai caused the world to take note of the IoT’s cyber security vulnerabilities
This questionable approach to security has been an issue since IoT was in its infancy, causing fervent debate in security circles for many years. However, it wasn’t until the emergence of the Mirai malware a few years ago that the rest of the world started to take note as well.
Mirai was the first successful large scale cyber security attack leveraging IoT, using malware to turn unsecured IoT devices like baby monitors into a powerful botnet army capable of bringing down high profile websites through multiple, major DDoS attacks.
Mirai wasn’t a complex malware either, it simply scanned big blocks of the internet for open Telnet ports on these devices and then cycled through 61 default passwords in order to gain control of as many as possible. It was worryingly successful, with almost 400,000 devices connected at its peak.
Physical security is also a significant concern
Mirai focussed on vulnerabilities within cyber security, but many IoT devices are also physically vulnerable to outside interference for the same reason; they simply weren’t built with security in mind.
In some instances, this is because the devices in question far preceded what we now term the internet of things. They were never meant to be connected to the internet, but have been retrospectively equipped with sensors that allow this to happen. Something like a Programmable Logic Controller (PLC) used in a factory production line may seem fairly innocuous and turning it into a connected device allows for better process optimisation and predictive maintenance. However, because many older PLCs weren’t designed for this purpose, they contain no anti-tampering measures, making it very easy for someone with physical access to gain control of it. Once in control, not only could that person cause significant disruption to operations, but the PLC could also serve as a gateway to the factory’s entire control system.
At the other end of the scale are the mass produced IoT devices discussed earlier that have been rushed to market with little thought for either cyber security or physical security. Different scenario, same result; vulnerable devices that act as an open door into the network they are connected to. The more devices like this there are on a network, the bigger the threat becomes and the harder it is for a security team to stay on top of it. Fifty devices are a challenge to control, but if that number is 50,000+, like in a large enterprise, it’s nigh-on impossible without automation and standardisation. This gap between technologies and capabilities results in organisations taking a lot longer to make these solutions secure. Bridging these gaps is essential for IoT security over time.
A ‘secure by design’ approach is required for IoT hardware and software
Fortunately, the IoT industry is starting to wake up to these issues, with bodies like the IoT Security Foundation and the National Institute of Standards and Technology driving the creation of new standards and enlisting companies to work together to improve the overall security of IoT devices from the ground up. Central to this is the wider adoption of a ‘security by design’ approach to new products, whereby both physical security and cyber security are considered right from the start of the design process. From a cyber security perspective, this includes:
• Proper and secure authentication for every device
• Industry standard encryption of all data flowing between the IoT device and backend servers
• The use of secure coding practices to streamline security and mitigate risks
• Provision for the remote deployment of firmware updates in order to keep devices protected from new and evolving threats over time
From a hardware perspective, consideration must be made for:
• Integrating tamper-proofing technology into devices and components so they can’t be accessed without permission.
• Ensuring sensitive data related to authentication and account information is erased in the event of a device being compromised, preventing it from being extracted for malicious use
Security shouldn’t end there either. Should a device become compromised, any damage can be significantly reduced by effective security measures on the network its connected to, such as partitions that can cut the device off from the internet, as well as denying access to critical systems.
A truly secure IoT will take time, but it’s getting there
Despite more and more IoT vendors now taking security more seriously, sadly there are already millions of vulnerable devices out there (some with 10+ year lifecycles) and no way to update their defences. This means it will be many years before the IoT will truly be secure and companies will have a fully secure IoT solution. In the meantime, breaches and attacks are inevitable. However, as the drive for better security continues and more robust hardware and software measures are put in place, we are already starting to see a marked increase in overall security levels. So, while the window of vulnerability remains open for now, it is already starting to close.