IoT Security Needs OEM, User Partnerhips
2/21/2018 00:01 AM EST
Manufacturers and network administrators need to come together and weave a security defense for the Internet of Things.
For years, the security community warned of the possibility of attacks aimed at the Internet of Things. At the end of 2016, we finally got one, and it was a stunner. The Mirai-botnet used an estimated 100,000 Internet-connected cameras, routers and other IoT devices to attack DNS provider Dyn, slowing or stopping Web service for some of the Internet’s biggest names, like Twitter and eBay.
By the end of 2017, one in six businesses had suffered an attack from IoT devices. If current trends are any indication, we expect that number to rise. While the crop of new devices is growing, most are still no more secure than they were in 2016.
Manufacturers can and should accept some of the burden for security. Waiting to confront security flaws until after a product has been pushed out leaves IoT devices open to a number of threats. At the same time, network administrators and cloud service providers need to take steps to prevent IoT exploits from damaging the rest of the network.
To begin with, device makers need to implement a system for updates after security flaws are discovered. Just a few months after Mirai took down Dyn, another exploit, known as BrickerBot, permanently disabled more than two million IoT devices using the same vulnerabilities as Mirai.
The author of BrickerBot said his goal was to disable devices to prevent the creation of large botnets, and he devised his attack to call attention to the security flaws. If manufacturers had a way to promptly update devices, BrickerBot wouldn’t have worked and wouldn’t have been needed.
Other security gaps in IoT devices have persisted, including the publication of backdoor access routes and default passwords. These are well-known points of access for hackers. Manufacturers should provide unique passwords for each device.
Data collected by IoT devices is also a concern since it’s rarely stored in encrypted memory. Manufacturers should use industry standard encryption practices to prevent leaking personal data. They also need to limit the amount of traffic these devices can generate to prevent them from overwhelming defenses.
Network professionals need to act as a second line of defense. For example, telnet access, the point of intrusion for Mirai, should be disabled.
The real reason manufacturers need to take the lead stems from the scale of the problem. Even with 95 percent of an estimated 20 billion IoT devices secured, the remaining five percent is enough to build 1,000 botnet armies of a million devices, each ten times larger than the one that took down Dyn.
Security is the job of nearly every professional. If everyone does their part, we can enjoy the benefits of the IoT with far fewer risks.
--Carl Herberger is the vice president of security solutions at Radware.