Top industry security experts discuss the economic implications of the recent use of IoT devices as weapons in cyber attacks.
Not surprisingly, one of the topics most discussed at last week’s IoT Solutions World Congress (IoTSWC) in Barcelona, was how to secure IoT devices. While most experts agree that security has to be a priority when designing new IoT solutions, the number of devices already installed and the cost of securing them makes the problem almost impossible to fix.
How to secure billions of devices of the Internet of Things and prevent similar attacks to the DDoS on DNS provider Dyn last week was the topic of one panel session at the IoTSWC, with security experts from Infineon, Schneider Electric, and Wind River weighing in.
The botnet responsible for last week’s DDoS attack that collapsed access to several top sites in the US used thousands of connected devices, most of which were webcams and digital recorders manufactured in China. The company responsible for the technology behind those devices, XiongMai Technologies, was quick to acknowledge the problem and announced a recall of some of the affected units. XiongMai, however, said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches.
What last Friday’s DDoS attack has shown is that hackers do not need thousands of sophisticated servers or powerful computers to collapse the internet. A very basic connected device can be programmed to send a massive number of DNS requests, and millions of those devices are out there waiting for instructions.
During the panel session in Barcelona, George Wrenn of Schneider Electric began by saying that those botnets pose a new level of danger because they have proven that it’s possible to use “a consumer based product to target the enterprise.”
Steve Hanna, of Infineon, argued that the attack changed the perception of the intent of hacking IoT devices. “For years people said: Oh, why will anybody bother hacking my webcam, […] I’m a 50 y/o ugly guy, who wants to look at me?” he said. “But it turns out that hacking the webcam isn’t about looking at me and seeing what I’m doing in my living room, is about using that as a source of revenue.”
“What the attackers are doing there with the Mirai toolkit is build a botnet of hundreds of thousands, and potentially millions of devices, which they can rent them out, they rent out time on these compromised devices.”
“If you want to rent 200,000 of those devices, which I think it is what was done last Friday,” Hanna continued, “you pay a certain price and, whoever hacked those devices gets that money, and [it] becomes an ongoing revenue stream to them. […] It is a pretty good business model as long as you don’t have an extradition treaty from your country to the US or to Europe.”
All the panelists agreed that the economics of IoT security are quite complex, and many devices, especially the ones targeting the consumer market, are not designed with security in mind. “The vendor just wants to get their new model out there,” said Gareth Noyes of Wind Riverand, and network security is their last concern. “Device manufacturers tend to be motivated by a business model that is volume driven, and therefore any penny that is shaved off the bill of materials is something those guys avoid paying for [security].”
While most industrial and IT companies have developed and implement best practices in the way they secure their networks and connect IoT devices in the enterprise, home users tend to connect anything and everything to their home network, through WiFi connections that are in many cases insecure, leaving the door open for hackers to access the devices.
IoT vendors need to engage in consumer education about security, panelists argued. People are already used to receive continuous updates on their smartphone apps, computer operating systems, and now the wearables, but very little or nothing is done to update the other low-end connected devices they use, and consumers are not aware and not concerned about the vulnerability of those devices.
Technology vendors, such as VMware, Microsoft, Amazon, and Google, are already providing solutions to secure the information sent from the IoT to the internet, but they are mostly targeting industrial applications and high-end mobile devices. The same applies to semiconductor companies such as Intel, NXP, Gemalto, ARM, and Infineon. But low-end devices, used in small businesses and home environments, are still easy to compromise.
Counterfeits are another big issue. I had the opportunity to ask the panelists about their ideas on how to prevent counterfeit devices entering the supply chain. Steve Hanna argued that device certification at the hardware level is the key to ensuring the origin and identity of the components, because manufacturers of low-cost devices are not willing to pay the price for that level of security.
The panel agreed that, while regulation and government intervention will eventually happen, device manufacturers should take immediate action, as they are mostly liable for damages caused by their devices, and vulnerabilities such as the ones discovered last week can damage a brand reputation beyond repair.