The connected world appears to present boundless opportunity. Working its magic on almost every aspect of our lives, it becomes more and more embedded in the way we function, play and work. However, as it extends further and further into the physical world, the associated security challenges get tougher and appear to multiply exponentially.
As a community, we must be vigilant to the threats and challenges that emerge as the Internet of Things (IoT) evolves and grows. We must take responsibility for ensuring that our insight and knowledge stays one step ahead of the attackers.
Smart enough to pose a risk, too dumb to be managed
Collectively, vendors release thousands of patches a year to fix software security issues, and we (mostly) apply them without thinking. Yet when it comes to smart devices and IoT, who is going to apply a security patch to a light bulb? An IoT device that has just enough ‘intelligence’ to work is probably still too ‘dumb’ to be managed properly, and that’s a big problem.
The initial challenge lies with manufacturers. Many smart devices use a modified version of Linux, which immediately brings tens of thousands of lines of code into the device. All complex software suffers from security vulnerabilities and Linux is no exception: 85 high-severity vulnerabilities in the Linux kernel were found during 2016 alone.
Added to this are vulnerabilities hiding within the software used to provide the IoT device’s functionality. These are harder to quantify as the code is usually proprietary, but without a doubt they are widespread: at DEFCON 2016, 47 new IoT security flaws were discovered in products from 21 separate manufacturers. Secure hardware architecture, secure coding standards, and comprehensive auditing are key to maintaining a strong level of security. The challenge for manufacturers is applying the right level of focus and having access to the required skills to address these needs.
The risks are significantly different from those we are traditionally used to. In the home, excluding these vulnerable smart devices, the worst malware scenario is perhaps losing documents to ransomware. But imagine if an attacker discovered a flaw in smart thermostat software that allowed the overload of a heating circuit? In theory, they could burn your house down.
If that feels unnecessarily alarmist, consider Cisco’s discovery of a flaw in Trane thermostats that allowed an attacker to take remote control of the device. It took several years before a patch was released. The fact that IoT devices require a similar level of attention to a desktop PC is not something that resonates with most people.
Even if manufacturers do release security patches for their devices, they still can’t be connected to a centralised patch management solution. Manually patching IoT devices is a shadow IT task of epic proportions – if you can find them in the first place. MITRE is currently running a challenge with a $50,000 prize fund for solutions that detect and identify IoT devices.
Fortunately, even IoT devices must obey networking standards, and this provides options for reducing risk. One approach is to copy malware techniques for the force of good: Mirai malware infects IoT devices by logging into them using the manufacturer’s default password. With some judicious scripting and free security tools, it’s possible to create an automated scan that identifies vulnerable devices in a manner that mirrors how Mirai works.
The business choice: create a castle or wear armour
Businesses must take careful control of what has access to their infrastructure. Solutions include network access control, which prevents unapproved devices connecting to the network, and intrusion detection, which flags questionable network traffic for investigation.
However, organisations are also looking at boundary-less networks and zero-trust models. These businesses say: “We don’t truly trust our network; it’s too big, too wide, and too many people can connect whatever they want, whenever they want. Instead of a castle, we’ll give everyone a suit of armour. We’ll secure our endpoints and our services, segment our infrastructure, and worry less about the network around it”.
Both approaches help to counter the threat; but failing to recognise that there is a threat, or simply ignoring the benefits that IoT brings by banning the devices via corporate policy leaves an organisation wide open.
Author: Ian Kayne, Cyber Security Practice Lead at Mason Advisory – published: Infosecurity Magazine