It was fantasy just years ago, but the risk of compromise through hacked cameras, routers, appliances, toys, and industrial sensors has become very real – for individuals and enterprises alike.
It has been over 18 months since the Mirai botnet showed the world the havoc that could be wrought by hacking Internet of Things (IoT) devices. Since then, numerous derivatives of that malware have re-emerged with enough frequency that IoT botnets have become a key security concern.
In a world where consumers have become obsessed with gadgets, the prospect of compromising those gadgets for nefarious purposes looms large on the mind of every CSO. Yet with enterprises rushing just as quickly to embrace IoT and its sibling Industrial IoT (IIoT) – and coming 5G mobile networks being spruiked as enablers for even more IoT devices – the problem is rapidly expanding in size and scope.
A recent F5 Networks analysis, which referred to this new breed of malware as ‘thingbots’, warned that “every expectation should be set that attackers will continue targeting IoT devices.... it will be a competition among attackers to find IoT vulnerabilities, compromise those devices, and build the strongest thingbot.”
Spending to stand still
Attackers are already making progress: a recent Gartner/CEB survey found that almost 20 percent of organisations had experienced at least one IoT-based attack in the past three years. F5’s figures suggested Telnet brute-force attacks against IoT devices – a common mechanism for compromise – were up 249 percent year on year to 2017.
“There is growing awareness that malware can get in through a device and go just about anywhere on the network,” says Chris Tappin, principal consultant with Verizon Australia, which recently updated its data breach investigations report (DBIR) with warnings that organised criminal groups were responsible for half of analysed breaches.
“It is surprising,” he continued, “that people spend their budget on new cameras and other devices, but they’re not ready to put funding into the network security assessment of those devices. It really is a network design issue: you should have these devices as ring-fenced as possible.”
Unsurprisingly, spending on IoT-specific security is increasing commensurately: Gartner has predicted that worldwide spending on IoT security products will reach $US1.5 billion ($A1.93b) this year, with regulatory compliance becoming the prime influencer for IoT security adoption by 2021.
The forecasted composition of that figure – which will double to $US3.1b ($A3.98b) by 2021 – offers guidance for CSOs eager to bolster their IoT defences. Businesses will spend three times as much on IoT security-related professional services than on endpoint security tools, which will themselves be purchased twice as much as gateway security tools.
The message from these figures is clear: building an effective IoT/IIoT security perimeter is about much more than tools. It requires a strategy that is developed alongside broader security planners, in response to effective vulnerability and remediation planning, and executed over time in lockstep with other enterprise security initiatives.
Few companies are that meticulous about their IoT security spending yet, warned Gartner research director Ruggero Contu, who said the lack of ‘security by design’ was causing disarray in IoT security planning.
"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," he said.
"However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."
Towards a better IoT strategy
Even as vendors and corporates feel their way towards better IoT security, malware authors are testing and deploying new attacks with impunity. The latest Fortinet Threat Landscape Report, for one, warned of more, faster, and more varied ‘swarm cyberattacks’ based on detection of an average 274 detected exploits per firm.
Three of the top 20 observed attacks targeted IoT devices, Fortinet noted, and exploit activity against devices quadrupled. The emergence of hybrid IoT botnets like Reaper and Hajime, which are built around flexible frameworks that test multiple vulnerabilities at the same time, took the threat to a new menacing level as self-modifying botnets proved they could be dynamically updated to target new types of devices.
For CSOs, this growing threat represents a clear and present danger. One of the most important things to remember is that IoT botnets are a global problem. F5’s analysis confirmed this, noting that China is far and away the biggest source of such traffic but that its destinations were evenly spread across most of the world.
This means CISOs cannot hope to linger in obscurity: IoT is a problem for everyone and it needs to be dealt with as a matter of priority.
For many companies, this imperative is already being recognised as part of critical infrastructure protection (CIP) planning – a nod to the growing fear that poorly-secured infrastructure has been left exposed to interruption or destruction by malicious code.
“Many thingbots capable of global, ‘lights-out’ attacks have been built during the past two years,” the report notes. “All signs point toward IoT devices becoming the attack infrastructure of the future.”
Every security vendor has been bulking out its IoT-related offerings in an attempt to counter this attack, with most approaches dealing with IoT devices as endpoints and bolstering protection by monitoring their behaviour against baseline expectations.
This approach is a direct consequence of the poor or absent manageability of most IoT devices, which has occasioned the need for the endpoint approach taken by the likes of Fortinet – which recently integrated its platform with Pulse Secure’s endpoint protection to deliver automated identity and posture-based intelligence to enforce security policies across IoT and other endpoints.
As well as painting IoT devices with the broader brush of endpoint security, CSOs must recognise that growing use of machine learning and artificial intelligence will become critical in monitoring endpoints for spurious activity, just as it will help botnets dynamically adapt and refine their activities.
Companies that aren’t ready to fight the proverbial fire with fire, may find themselves defenceless in the face of botnets wielding newfound vulnerabilities and payloads designed to exfiltrate sensitive data – or just to destroy sensitive systems. And attackers are getting smarter and bolder in their efforts, as in the recent discovery and multinational alert warning that Russian hackers were “exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide”.