More than a few Israeli security researchers are reconsidering their personal purchase of home security cameras, baby monitors, doorbells and thermostats after a hackathon revealed “truly frightening” security vulnerabilities that highlight the true extent of the Internet of Things (IoT) security threat to individuals and enterprises.
Passwords for most of the 16 tested devices were discovered within 30 minutes – often through a Google search – and researchers at Ben-Gurion University of the Negev (BGU) were able to quickly co-opt devices for unintended behaviours, such as playing loud music through a baby monitor or remotely activating a camera.
In a newly published paper describing their work, researchers Omer Shwartz, Yael Mathov and Michael Bohadana described their success in developing ‘black-box’ techniques for reverse-engineering IoT devices that had allowed them to bypass password protections, recover device firmware and extract passwords. They were also able to create a laboratory version of the Mirai botnet that automatically exploited the discovered vulnerabilities to build an active botnet.
“It seems getting IoT products to market at an attractive price is often more important than securing them properly,” BGU senior lecturer Dr Yossi Oren said in a statement. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
The implications of such work – which has been repeated with worrying success by numerous security teams around the world – are contributing to the pressure on IT-security managers to bolster their response to IoT threats, as well as their strategies for safely acquiring and managing them.
The market is responding in kind, with wireless specialist Ruckus Networks this month launching its Ruckus IoT Suite to secure IoT-heavy enterprises, smart-city deployments and other environments. A bevy of partners, including device-locating firms Tile, TrackR and Kontakt.io as well as conventional firms like ASSA ABLOY Hospitality, have signed on to track and secure growing constellations of IoT devices.
New Zealand and Australia were ranked third and fourth, respectively, in IDC’s recent comparative national assessment of IoT readiness. This puts CSOs in the firing line when it comes to adoption of the new technologies – and a fundamental change in the way that endpoint security risk is perceived is a good place to start, notes ForeScout senior vice president of products Rob Greer.
The growing endpoint threat had lent momentum to efforts to enforce security using agent-less architectures, Greer told CSO Australia. “Enterprises are starting to take IoT a lot more seriously than they did even 18 months ago,” he explained. “Recent breaches have happened as a result of not knowing what’s going on in your environment.”
“For most CIOs and CSOs, this has fuelled a sense of what is connected to the environment. And this transition – from a world of knowing what you have on your network, to a world that questions the validity of what you think is there and what you actually have – is good for a lot of reasons.”
Adopting this change in perception has been difficult for many security practitioners; recent studies have shown slow adoption of zero-trust security, and half of companies won’t even change security policies after they have been breached.
Aiming to protect even those that won’t act to protect themselves, ForeScout’s endpoint-security model is built along similar lines to the BGU research: it watches which devices are connecting to the network, then uses 13 different techniques to classify and compare their networked behaviour against a database of known baseline behaviour for those devices.
The IoT security space is “still developing”, Greer said while arguing that the momentum behind agentless endpoint security is being assisted by megatrends including the diversity of devices and operating systems; the movement of infrastructure to cloud and software-as-a-service (SaaS) platforms and an attend lack of clarity about network activity; and the convergence of operational technology (OT) and IT, which is making OT an entry point to traditionally “flat” IT networks.
“There is a long way to go,” Greer said, noting that new regulations like Australia’s Notifiable Data Breach scheme and the EU’s coming GDPR are “putting compliance teeth into companies having the responsibility to know what’s connecting to their environment, and to be able to prove that they’re doing what’s right for their employees and customers.”
7 tips for safer IoT
Oren’s team offered seven suggestions to help adopters of IoT devices minimise the exposure that those devices present:
- Buy IoT devices only from reputable manufacturers and vendors.
- Avoid used IoT devices. They could already have malware installed.
- Research each device online to determine if it has a default password and if so change before installing.
- Use strong passwords with a minimum of 16 letters. These are hard to crack.
- Multiple devices shouldn't share the same passwords.
- Update software regularly which you will only get from reputable manufacturers.
- Carefully consider the benefits and risks of connecting a device to the internet.