IoT Security – is there a reason for concern?
The famous KrebsOnSecurity blog site was taken offline in September of 2016, following a record 620 Gpbs attack launched by a Mirai botnet. This is a milestone in cyber threats in at least three aspects:
- It was one of the biggest DDoS attacks ever recorded
- It was the first DDoS attack executed with Mirai botnet and
- It was the first IoT related DDoS attack in history.
The KrebsOnSecurity attack was soon followed by the second biggest DDoS attack ever (>1Tbps). It was directed at Dyn, a major American DNS provider, in October of 2016. This attack was devastating and created disruption for many major sites, including AirBnB, Netflix, PayPal, Visa, Amazon, The New York Times, Reddit, and GitHub. According to security ratings provider, BitSight, Dyn lost around 8% of their customers after the attack and one can only speculate how much the affected customers lost business during the outage.
So, how was this even possible?
Let’s have a look on Mirai (Japanese: 未来, lit. 'future') first. The botnet malware surfaced online in August 2016. Mirai creates a botnet out of compromised Internet of Things (IoT) devices such as cameras, smart TVs, radios, printers, and even baby monitors. To create the attack traffic, these compromised devices are all programmed to send requests to a single victim. The malware spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default usernames and passwords. It is estimated that there can be even millions of IoT devices in a single botnet.
What makes IoT devices so interesting to online criminals?
According to a Radware blog, there are a number of reasons:
- Low-hanging fruit as embedded devices are easily exploited (e.g., default credentials, exposed services)
- Always-on devices with 24/7/365 availability and explosive marketplace growth
- Off-the-shelf products with low security standards (often root:root and admin:admin since few end users change this nomenclature once deployed)
- Malware can easily change default passwords, preventing the user from logging in or other attackers from taking control
- Devices are rarely monitored and poorly maintained, allowing hackers to easily shut down or enslave large numbers of IoT devices
- Low cost entry for attackers, as control of thousands of devices can occur for nearly zero cost (i.e. different than the high cost of accessing and controlling servers for more traditional DDoS attacks)
The number of IoT devices is growing rapidly and the problem is getting bigger at the same rate. Gartner estimates that the number of installed device units will grow from 11B in 2018 to 125B in 2030. Consumer devices count to more than 60% of all devices – devices which are traditionally more vulnerable.
Enter the Cyber Security Act
To protect the citizens of EU from cyber threats, the European Commission crafted the Cyber Security Act. It was originally proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cyber security in the EU. And since December 2018, it is now a permanent mandate.
In addition, the Cyber Security Act creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a groundbreaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. For the time being, the act is still optional, but could be made mandatory, if the situation does not change for better.
ENISA has also published baseline security recommendations for IoT, which aims to set the scene for IoT security in the EU.
What is the impact of the act?
The benefits are easy to tell. I can think of three topics, where we will see (hopefully) a change for the better:
- Raising awareness. Companies and consumers need to be educated on cyber security matters and with a set baseline, it is easier to digest.
- Mitigating security threats for consumers and businesses. This is obvious, but once manufacturers start to adhere to the baseline security recommendations, it becomes more difficult to attack IoT devices.
- Consolidating the European certificates to one EU level cert, which is valid in all member states. Manufacturers will face less costs for certifying their products, as now they do not need to certify them in all member states separately.
But I have also some concerns:
If the devices are imported from outside of the EU, how can you tell the certificate is truly valid? What if a manufacturer, which produces the devices outside of the EU decides to fake the certificate and avoid paying for the certification fee? Who will control the imported devices, and can there be sanctions for faking them? Is it even possible to sanction companies outside of the EU? Or is it the company, which imports the devices, who is responsible for making sure the certificates are valid and face sanctions if they are not.
I find it reassuring, that not only the EU is stepping up and improving the situation, but also in many other countries and market areas there are improvements ahead. For example, California passed an IoT cyber security law in 2018 and it will be in effect the 1st of Jan 2020. And I’m certain others will follow.
Another impressive initiative to improve the current situation came from Microsoft, when they introduced Azure Sphere. Sphere offers a platform to build your IoT solution, with end-to-end protection built in. Microsoft even promises to keep your devices, built on the platform, to receive (security) updates for years to come.
As 451 Research puts it: "Azure Sphere is the most significant push by a large technology vendor to holistically improve IoT security".
Innofactor offers many services which help customer organizations in succeeding in IoT projects and making them profitable. With the proven “IoT journey” methodology, we can help customers in all phases of the project, starting from assessing the skills and abilities of personnel, to validating business models and helping with finding the right IoT strategy. We can help establish processes and secure a path to production-ready services.