Playing Catch Up With IoT Security

An unsecured IoT ecosystem introduces real-world risks, and we’re already seeing the consequences.


While the benefits of the Internet of Things (IoT) are clear, security hasn’t managed to keep up with the rapid pace of innovation and deployment. As the U.S. Department of Homeland Security (DHS) recently stated, an unsecured IoT ecosystem introduces real-world risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves. This can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality via large-scale distributed denial-of-service (DDoS) attacks and potential disruptions to critical infrastructure.

In recent months, unsecured IoT devices have been targeted by multiple malware strains, including Brickerbot, Mirai and Hajime. Brickerbot is a nefarious family of malware that is designed to exploit hard-coded passwords in IoT devices and cause permanent denial of service (PDoS). According to Radware (via the DHS), BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH and brute force Telnet. Although BrickerBot.1 is no longer active, BrickerBot.2 continues to target Linux-based devices which may or may not run BusyBox and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes.

Meanwhile, Mirai continuously scans for IoT devices that are accessible over the internet and protected by factory default or hardcoded user names and passwords. It subsequently infects vulnerable endpoints with malware that forces them to report to a central control server, effectively turning ‘zombie’ devices into a bot that can be used in DDoS attacks. Similarly, Hajime scans the internet for vulnerable IoT devices such as cameras, DVRs and routers that have open Telnet ports and use default passwords. Although the vigilante Hajime botnet has yet to launch DDoS attacks, Radware security researchers warn that the enigmatic malware strain is a “big threat forming” and can ultimately be exploited for nefarious purposes.

The rise of Internet of Things malware illustrates the real-world risks associated with deploying unsecured IoT devices. Indeed, nearly every device is a potential target for cyber criminals with malicious intent. As such, it is important to understand that reducing the IoT attack surface starts with adequately protecting both services and endpoints. To be sure, an attacker cannot compromise an endpoint without first establishing an unauthorized communication channel.

An IoT security solution should therefore only allow legitimate, verified cloud services to ‘talk’ with each device by thwarting unauthorized communication attempts trying to exploit known vulnerabilities in the device’s software or firmware. In addition, IoT devices should be uniquely and cryptographically verified by the service to determine if they are authorized to connect, thereby reducing the attack surface of the service by preventing remote attacker access directly or via device emulators. As a second layer of defense, the service should be able to identify compromised endpoints and quarantine them before they can inflict damage.

Perhaps most importantly, IoT security solutions should be ready out of the box: simple, affordable and easy to use. One effective method of simplifying security and reducing costs is to deploy IoT devices with pre-provisioned keys, identifiers and pre-integrated security software that ‘knows’ how to work seamlessly with the service security component. This model allows service providers to bolster security for a wide range of connected ‘things.’