When home appliances attack: Why the enterprise IoT defence starts in the home

Five years ago, if you had asked your average CSO what the biggest threat to their network was, odds are that they wouldn’t have even thought about mentioning their own dishwasher. But that’s exactly what has happened as exploding shipments of connected smart-home devices have opened up a new front in the cybersecurity battle – and the security industry is still scrambling for a solution.

To be fair, connected dishwashers are still few and far between. But other appliances, sensors, Webcams, printers, and even smart lightbulbs are rapidly coming online as vendors build ever more-connected home ecosystems. A recent Telsyte-nbn co analysis suggested that the average Australian household had 9.2 Internet-connected devices in 2015, increasing to 20.7 by next year – all of which communicate with the outside world through the household’s broadband router.

It was these routers that became the conduit for a record-setting distributed denial of service (DDoS) attack last year, which was based on code that later came to be called Mirai and was released to the world for anybody to use. Mirai scanned the Internet for routers and other devices whose default passwords had not been changed, conscripting them into remotely controlled botnets that flung more than 600Gbps of traffic at targets such as the Web site of security journalist Brian Krebs and US infrastructure provider Dyn.

The Dyn attack, which measured well over 600 Gbps and compromised services including Netflix and CNN, reflects a new cybersecurity reality in which cybercriminals are actively searching for ways to compromise and exploit devices of all kinds.

As researchers at the Institute for Critical Infrastructure Technology have warned, the Dyn attack was “just a practice run”. Indeed, Arbor Networks’ latest Worldwide Infrastructure Security Report suggested that IoT had become the favoured mechanism for launching DDoS attacks during 2016: a honeypot set up to test IoT attack volumes was hit more than 1 million times in a fortnight.

Vendors continue to flood the market with insecure IoT devices that can’t be remotely upgraded, feeding a general and justifiable fear that they are creating problems as well as solving them. One recent Bullguard survey found that 66 percent of UK respondents were highly concerned that their IoT devices could be hacked or their data stolen.

Recent Pwnie Express research of more than 800 IT professionals corroborated these findings, with 84 percent of respondents saying that Mirai had changed their perceptions of IoT threats and 66 percent admitting they hadn’t or didn’t know how to check their devices for Mirai. Fully 92 percent said connected device threats will be a major security issue this year, yet only 23 percent said they were actively checking connected devices for malicious infections when they were brought into their offices.

It goes without saying, then, that companies exploring the technology’s possibilities need to be particularly careful about what they add to their network, and how.

“I see Mirai as a watershed moment,” says Michael Sutton, CISO with cloud security vendor ZScaler, who has both watched the emergence of IoT as a new threat and moved to defend against it within his own business.

“This was the moment that the hardware industry woke up,” Sutton explains. “Everyone had been saying forever that IoT security is terrible and that the hardware industry is a decade behind the software industry, but nobody was doing anything about it. Mirai showed us that these things are actually computers, and they can be used to attack other machines in an incredibly effective way.”

Sutton believes it’s only a matter of time before IoT is extended with ransomware attacks that lock businesses and users out of their own devices until a ransom is paid. This bodes poorly for businesses keen to leverage IoT technologies to improve productivity, reduce costs, and automate internal processes by enabling new data-gathering processes that provide more operational intelligence than ever.

Some 55 percent of the more than 4500 organisations responding to IDC’s 2016 Global IoT Decision Maker Survey, for one, agreed that IoT solutions are strategic tools for competitive differentiation. Fully 31.4 percent had already launched IoT solutions and 43 percent were looking at doing so within the next 12 months.

"Vendors who lead with an integrated cloud and analytics solution are the ones who will be considered as critical partners in an organisation’s IoT investment," Carrie MacGillivray, IDC vice president for mobility and Internet of Things, said in a statement. "We also note that network and traditional IT hardware vendors are slipping down the charts, as software and systems integrators make strides in customers' minds."

Security vendors are responding to the changing threat posed by IoT, which has lent new urgency to the need for businesses to get their identity and access management (IAM) infrastructure up to scratch.

Given that it’s currently impossible to get all IoT vendors to integrate their devices with enterprise-grade security platforms, IAM has offered a compromise by moving the control point away from the endpoint. By keeping IoT devices in check, these platforms allow their interactions with the network to be monitored and acted upon.

“Security will never be solved,” Eve Maler, vice president of innovation and emerging technology with ForgeRock, recently told CSO Australia. “And when it comes to consumer IoT, the aspects of usability, fun, and convenience are imperatives that fight with security. Traditional IoT has been able to fail closed – which is fine in the virtual world. But in the physical world, they’re more concerned with ensuring the proper authentication of a device.”

ForgeRock, which has been working with embedded-systems giant ARM to embed device authentication and registration capabilities within IoT devices, recently launched a new version of its ForgeRock Identity Platform designed specifically to manage IoT devices. This puts the company alongside a raft of similar efforts including Amazon Web Services’ AWS IoT, Cisco Jasper Control Center, Ayla Networks’ Agile IoT Platform, Microsoft Azure IoT Suite, Cisco IoT Cloud Connect, ThingSpeak, Xively, SensorThings Cloud, and more.

Other enterprise vendors have put their particular spin on IoT management, with SalesForce launching its Salesforce IoT Cloud tool for linking devices directly into Salesforce environments and IBM leveraging its Watson artificial intelligence-as-a-service engine for its Watson IoT Platform.

In the long term, interoperability between devices and platforms will be a crucial part of IoT’s escalation from home-user dalliance to enterprise operational powerhouse. A recent IDC survey of Australian IT decision makers found that 81 percent see common IoT data and connectivity standards as being extremely or very important, lending urgency to the process of establishing and implementing IoT security standards.

“IoT will be an open ecosystem of horizontally specialised players, bringing their own best of breed technology to the table,” said IDC research manager Jamie Horrell. “Open standards are critical to interoperability and it would be a bold move to rely on proprietary standards or vertically integrated players to deliver operational transformation".

Standardisation, however, will take years – and with Australia’s IoT market expected to hit $18 billion by 2020, businesses aren’t going to be waiting around for security to sort itself out. Standards or no standards, they’ll be pushing hard to tap the benefits of IoT in areas like freight monitoring, manufacturing operations, and connected vehicles.

For now, that means CISOs looking to safely leverage the benefits of connected devices need to look beyond the devices themselves for the most effective security. Control those devices’ interactions with the rest of the enterprise environment, and you can keep your network from participating in the next Mirai – or the even worse progeny it spawns.