Cybercriminals targeting vulnerable IoT devices

Connected devices often lack appropriate security features.

IoT security breaches have been dominating the headlines, and are set to increase as more devices are connected - putting protection at the core of the technology’s agenda.

Last year, Dyn suffered an enormous distributed denial of service (DDoS) attack when cybercriminals hijacked thousands of devices to create a botnet. This was done by taking advantage of users who had not changed the devices’ default passwords – mostly on DVRs and cameras. Analyst firm Forrester believes this is just the start and we will see the biggest IoT attack yet in 2017.

With smart thermostats alone exceeding one million devices, Forrester said in a recent predictions report that it is not “hard to imagine a vulnerability that can easily exceed the scale of other common web vulnerabilities such as Heartbleed, especially if multiple IoT solutions include the same open source component”.

Forrester maintains those most at risk are IoT early adopters, including transportation/fleet management, security and surveillance applications, retail and manufacturing.

IoT services are central to IoT devices.

Gartner forecasts that 8.4 billion connected things will be in use worldwide this year, with business spending representing 57 percent of overall IoT spending. Services will be dominated by the professional IoT-operational technology sector, where providers assist businesses in designing, implementing and operating IoT systems. We will see a flood of applications, but there still seems to be a laissez-faire attitude to securing them.

Application testing is happening on an ad hoc basis, and often appears after they have gone into production. In its 2017 study into mobile and IoT application security, the Ponemon Institute revealed that 80 percent of IoT applications are not tested for vulnerabilities, primarily down to rushed release schedules. Seventy-five percent of respondents cited pressure on the development team as the key reason why IoT applications contain vulnerable code. In addition, 65 percent said accidental coding errors in IoT applications also result in vulnerable code.

The survey also found that only 30 percent of respondents said their organization allocates sufficient budget to protect IoT devices, despite 66 percent of IT professionals being “very concerned” about the threat of malware to IoT apps. And 75 percent said using IoT apps increases security risk either “significantly” or “very significantly”.

While awareness of security threats and risks exists, the necessary preventative action is not being taken. The onus is on the industry, including device makers, software developers and service providers to create an ecosystem of trust. Security needs to be baked into the production process, and could be considered a marketable feature.

Why is it happening?

Another security issue relating to device makers is the difficulty in updating or patching many IoT devices, even when a vulnerability is discovered. According to Forrester, many companies are developing IoT firmware using integral open source components in a rush to get product to market, without any roadmap for updates or plan for fixes. This makes it impossible for security teams to sort out vulnerabilities quickly, once notified.

These issues stem from device makers never having to concern themselves with security. Many IoT developers come from backgrounds in consumer goods or industrial equipment, where they have never created products connected to the internet.  The IoT era has changed this, and OEMs now need to consider security as a priority at manufacturing stage - and plan for support in the future.

What can be done?

As evidenced by the Ponemon Institute research, more must be done at manufacturing level to incorporate security measures into IoT devices. Furthermore, IoT-connected devices need to be updated on a regular basis, with OTT updates and patches a must.

But there are some big challenges ahead, according to Forrester. Many IoT devices do not adhere to basic security requirements. There is still a jungle of IoT standards and protocols and no clear picture as to privacy and security responsibilities.

One company that has taken the lead on remote, over-the-air software updates is Tesla Motors. The manufacturer of electric cars has a mechanism in place to update customers’ cars while they sit in driveways, parking lots or garages, in much the same way that smartphones receive the latest software or OS upgrades.

The way forward.

Not every business has the security expertise to develop and deploy IoT devices and services. To encourage the use of IoT best practices, Microsoft is championing governments getting involved. “Governments can enable better security outcomes by promoting best practices that range from security-by-design principles to sector-specific product development and risk assessment guides,” Microsoft said in a whitepaper on Cybersecurity Policy for IoT.

This is happening already in South Korea, where the Internet and Security Agency has published a guide on IoT security principles for the lifecycle of IoT devices.

Collaboration, it appears, is both essential and urgent if IoT is to be secured to enable it to reach its incredible potential in connecting us all for the better.

Distributed Denial of Service (DDoS) attacks are getting bigger and more sophisticated.  Find out more about how Orange Business’ three-pronged solution can help protect your infrastructure. Listen to a recording of our webinar here.