Will IoT be the next malware target for hackers after NHS?
16 May 2017 |
IoT devices have gained popularity over the past year. They also do not have any security on them, does this make them ripe for hacking?
IoT- the phrase that grew in common parlance in 2016 is everywhere in 2017. With understanding of the term growing exponentially, its remit has too. So, not only does it include connected TVs and fitness trackers but also printers, wifi expanders, smart lightbulbs and routers.
And with its universe growing so rapidly, it is no wonder that cybersecurity risks aren't too far behind. Consumers are always at risk but it is more the small to medium businesses who make easier targets for cyber criminals. These time-rich but ultimately lazy malicious actors are happy to squat on networks and collate information that is then drip fed to them. Hackers bid their time for 280 days in the case of Target, the US retailer's network before going in for the strike. Imagine what they could do with unsecured IoT lightbulbs, whether they were in a business environment or home.
The IEEE have an IoT and Big Data interactive transmitter which you can use to see what connected IoT products you are likely to use during the course of the day and they show you the kind of interactions each comes with as well as associated risks. Give it a go- you'll be surprised how entrenched IoT is, in our lives. However, it is just this year that businesses and consumers are waking up to the threat they bring with their ease of use.
Liviu Arsene, Senior E-threat Analyst at Bitdefender said: "Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices. From enforcing strong password authentication to encryption and security updates, most IoT manufacturers treat security features trivially and oftentimes are not even included in the device’s development roadmap.
"However, what small business sometimes fail to realize is that they’ve been hosting IoT device in their network for years without realizing it. If you think about internet-connected printers, one could argue that they’re also IoT devices. They’re usually the ones most targeted when it comes to breaching an organization’s security as they either have poor password protection or loads of vulnerabilities."
In a 'most hacked' list of industries that have suffered the most IoT-related breaches, healthcare tops the list. Almost 89% have had a breach and while malware issues were reported by nearly 49%, it was human error at 39% that led to an IoT-related security breach. 82% of manufacturing has come under attack and 76% of retail. Most worryingly, however it is 85% of government owned or issued IoT tech has come under attack.
When news that Amazon’s Alexa was listening and recording conversations emerged, Alex Mathews, Lead Security Evangelist, Positive Technologies said: “Given enough time, money and motivation – most technology nowadays can be hacked using flaws in its design. The more Internet connected devices people put in their homes, the higher the risk is to them personally. People need to be careful before rushing to get the latest smart home device. It might make getting pizza delivered easier – but there is a trade off with your personal information."
As we have pointed out earlier, SMEs and homes aren't very much different in scope and setup from each other.
Turns out that Telnet ports on IoT devices are the equivalent of a red carpet welcome for hackers. A number of routers and internet service providers leave ports open so they can remotely connect and update the software onboard. Sadly this also means that the same port could be used by malicious actors. Towards the end of 2016, there was a malware called Mirai. The working of this malware was quite simple and deadly. Armed with a dictionary of username and password combinations, Mirai would scan IP addresses for open Telnet ports. If any of those combinations worked, it would then infect that device. This simple methodology was able to take down vast swathes of the internet. In the UK, TalkTalk and Post Office broadband customers were affected.
Paul Lipman, CEO Bullguard said: "The wider infrastructure needs addressing. Content filtering exists on devices but the true sophistication lies in being able to tell a legitimate and a malicious port access attempt apart. In the US, one of the main ISPs is Comcast and all their routers would ship with with admin and password as the username and password. A malicious user just needs to then scan IP addresses, and they are in. Within seconds, they would have full control of home networks!
On why there isn't as much attention to security detail on IoT devices as there is on IT in general, Lipman continues: "Key point with IoT devices is value. The industry has experienced a fast product cycle and new products are introduced very frequently. There has been, until now, no motivation to incentivise and build in security features from ground up.
"IoT manufacturers are optimising for 2 things: Overall cost of production and speed to market.
Internet camera or IoT-enabled front door locks simply don't have the kind of processing power or storage capacity to run powerful security software on a host level. They are designed to perform the maximum number of tasks with minimum amount of cost. The worrying thing is that as we bring in devices like smartlocks, door cameras and access monitors into the home, the line between digital and physically security is blurred. The level of criticality has increased significantly.
Says Lipman: "I think the reality till now has been that no security products have been available. So the three types of consumer have been: those who either a) buy the product and don't worry about it. 2) Show a certain reticence to buying and using IoT products, and, 3) a small segment of early adopters who have the expertise to set it up the right way.
And Mirai is shape-shifting as you read. In April 2017, threat researchers at IBM's 'X-Force' division stumbled upon a new variant of the malware, with an in-built component to mine for cryptocurrency. IBM threat researchers Dave McMillen and Michelle Alvarez wrote a joint blog post saying: "If the weaponisation of IoT devices into DDoS botnets is the latest malicious trend, then turning them into bitcoin miners may be just around the corner.
"This malware is designed to scan for devices running Telnet services and attempt to compromise them. Infected nodes are then used to perform further attacks. Mirai is targeting DVR (dvrHelper), WebIP Cameras on busybox and other busybox powered Linux IoT boxes."
Paul Holland, Beyond Encryption thinks the real reason for IoT developing at breakneck speed without any security concerns has been for a variety of reasons, primarily that: "Their adoption has been quicker than tech in the past. Apple led the charge with voice controlled applications and even in an office environment, people are now using Cortana and Siri to get to the next level of efficiency.
"The question is, do consumers understand the security implications- do they get that hackers could easily gain access to their network by using the backdoor entry from their shopping list that Echo stored for them?"
Total network visibility
Across industry verticals, it’s clear that companies need more information about the devices connecting to their network. Network managers require the ability to create policies/permissions around each of them, so that if a device is compromised by malware or human error, it can be identified and removed from the wider network.
Jon Garside, Senior PMM of Security at HPE Aruba said: "IoT within business is already happening and the growth of its use across all industries is inevitable. Businesses shouldn’t let security threats be the barrier between a market leading or non-competing company, particularly as there are existing solutions to turn IoT into opportunity, not threat."
GDPR and IoT
One of the biggest flies in the ointment for IoT devices and their success in integrating seamlessly in the workplace is GDPR coming into force in May 2018. James Wickes, CEO and cofounder, Cloudview thinks many don’t realise that all IoT devices need to be updated or they’ll remain in their default, vulnerable state.
His advice for businesses is:
- choose a vendor that, at a minimum, uses corporate-grade encryption for data in transit and storage as well as ensures compliance with the Data Protection Act (DPA) and General Data Protection Regulation (GDPR)
- ensure that usernames and passwords have been changed from the default state to something secure and that they have a firewall in place
- if they are unsure, have equipment assessed and installed by a trustworthy technician
- buy equipment from reputable manufacturers where there can be a comeback if a major product security flaw is subsequently identified
- ask the company they are buying the equipment from whether they will mitigate any losses incurred through privacy breaches or related fines etc.”
IoT is a challenge when compared to traditional IT. Phones, PCs and laptops contain rich information and these can be protected by putting endpoint security on. With IoT devices, the biggest challenge is the sheer volume of them. The ability to connect and find out more about them before they connect to the network is simply not there. Case in point is the humble smart lightbulb. It is impossible to get their serial numbers and information before they get deployed. These devices have no functionality to control or have security on them and they have usually been manufactured by non-IT companies who have used off-the-shelf embedded versions of windows/Linux.
Dr Malcom Murphy, technology director, Western Europe says that security isn't typically a priority because they are hard to hardwire and not in anybody's mindset. This is a grave concern for SMEs. There is lesser value of breaching home data- it is inconvenient. For SMEs, it is an economic hit.
SMEs that have had major IT compromises mostly are out of business in 18 months because of them.
The concept of no backup is a big deal for SMEs. IoT consumer technology does not have security in mind. Full stop. It is akin to inviting barbarians inside the gate and it is SMEs who have the most to lose from it.
"A Windows XP device has the same security makeup as an IoT device. That's why the Wanna Crypt malware could propagate itself.
"There are IoT devices like MRI scanners that are running off legacy operating system as bringing them up to speed IT wise is always a secondary consideration. The risk there is that if I am operating IT in that environment, I should assume hackers can get in.
"For SMEs, the most important question to answer is: Do you know whats on your network? If you don't know it, you cannot secure it!
"For this the management of IP addresses is most important. By finding devices that can be connected to the network, that can latch onto an IP address in real time to check is what's required... Critical security controls should be able to identify authorised and unauthorised entry to your network. The threat landscape operating model needs to change now.
However, for others like John Madelin, CEO, Reliance ACSN, it is a case of much ado about nothing. "You have to remember that cyber criminals are inherently lazy people. Also remember that they are chancers. Would they really want to write a bit of code for 6 weeks to hack a fridge? Or would they rather send a wave of DDoS or ransomware to a healthcare trust and make half a million pounds?
"If all I am interested in is money, I would hide a motherload in your emails. 70 percent of our most valued files are in our emails. If I were a hacker, I would want to compromise your email and the mail server. If the mail server is protected and there is good anti virus filtering, as an attacker I would just move onto the next email.
"Also remember, phishing is easier than scanning telnet ports. One in 14 phishing emails is successful. Just send 14 emails!
"It is not possible to get security right to 100 percent."
In conclusion, we would echo what Motley Fool wrote recently: 'Without trustworthy security models and regular software updates to counter new attack methods, the IoT shouldn't exist. This is important."