It was recently reported that Kaspersky saw a 9x increase in attacks – 105 million attacks from 276,000 unique IP addresses – on IoT devices in the first half of 2019 compared to the first half of 2018. This totaled 12 million attacks. These attacks on IoT devices are clearly outpacing the dramatic growth of IoT devices themselves. Once an IoT device is breached, it is usually conscripted as a botnet to upload malware to the device, which in turn, can be used to launch a DDoS or other type of attack. We have seen multiple such malware attacks – Mirai, Gafgyt, Hajime, Amnesia, Persirai, Remaiten, NyaDrop, to name a few. Alternatively, malware on IoT devices, such as home cameras are used to gather private consumer information, which is then used maliciously, for example, sold on the dark web for monetary gain, as ransom against the user, etc.
The IoT device: A valued target for hackers
What is it about IoT devices that make them a favorite target for hackers and other malicious actors? First and foremost, it is simply the number of IoT devices out there. By some estimates, there are already about 10 billion IoT devices deployed across the world and this will grow to more than 25 billion in the next five years. That is about four devices for every person on earth. The sheer scale of these devices and the inconspicuous location or mode of their deployment creates the sentiment of “out of sight, out of mind.” This provides a unique breeding ground for shady characters to take advantage of these devices. Most devices are deployed by consumers, who are potentially not knowledgeable enough about online security threats or those who may not be careful enough. Once these devices are deployed, they are usually left and not tended to until disaster befalls.
So how do we protect these devices?
To answer this question, it is important to understand how IoT devices are compromised in the first place. The easiest way for hackers to gain access to IoT devices is through a brute-force trial-and-error method: logging into these devices using a set of the most commonly used default username and passwords known among IoT device manufacturers. The second most common entry point for hackers is any known vulnerabilities in devices whose firmware has not been updated. The third most common entry point is weak or no authentication on IoT device. These authentication mechanisms could be a simple clear-text password or weak cryptographic algorithms that can be easily broken using brute-force methods. Another favorite method is a hidden backdoor, which are usually provided by device manufacturers for customer support purposes.
To make sure that we protect the devices and the attacks that emanate from them, we have to take a two-pronged approach. The first involves how we strengthen the security of IoT devices themselves. The most common protection mechanism against the vulnerabilities above is maintaining hygiene:
(1) Change the default username and password before connecting the device to network
(2) Keep track of firmware updates published by manufacturer and apply them as soon as they are available
(3) Ensure all software/firmware updates to IoT devices are secured through a mix of checksum, encryption, and trusted source of update
(4) Use a two-factor authentication mechanism with strong cryptographic algorithms for authentication
(5) Be aware of any hidden backdoor and secure it with either strong authentication or close it for good
(6) Deploy network policies such that the IoT device can only talk to a limited set of services in the network
(7) Finally, reboot the device whenever you feel the IoT device is acting strangely
Secure the devices and now, secure the network
With the IoT devices secured to the best of our ability, let’s look at securing the network from potential attacks from compromised IoT devices. No matter how secure we make IoT devices, the sheer number and variety of devices mean that there will always be some that are vulnerable – those that do not conform to the latest security posture/policy. These will be sufficient enough that they, collectively, become a bigger threat.
The main threat to the network and the services hosted on the network is malicious traffic from IoT devices conscripted as botnets. If we are able to filter out malicious traffic from compromised IoT devices, then we have a solution. The simplest way to do this is to build a blacklist of things, such as IP address, web URLs, etc. that we need to watch out for and filter those packets out whenever encountered. This essentially builds threat intelligence based on historical attack data that can be applied on the packets at critical points in the network using devices such as firewalls or intrusion protection systems.
However, the build-up of threat intelligence is a somewhat slow process compared to the proliferation of IoT devices. To stay one step ahead of the threats, we need to employ machine learning (e.g., using classification algorithms) to dynamically identify certain patterns of data that may potentially be malicious to network services. For example, if we can identify that a unique pattern of data (that is usually not in our threat intelligence blacklist) is emanating from multiple source IP addresses in the network toward a specific destination IP address, then it could potentially point to a coordinated DDoS attack that may be emanating from multiple IoT devices towards a specific service. An unsupervised classification algorithm could be used on a randomly selected set of packets to identify such a unique pattern of data. This attack may be very short-lived and dynamic, which makes a relatively static threat intelligence blacklist rather useless.
Yet another important way to limit potential attacks from IoT devices is by using managed connections. In this method, we take advantage of the fact that IoT devices are designated for a specific type of service with a pre-determined set of application servers and we limit the packets generated by IoT devices to go to only those pre-determined set of destination servers. For example, if we are using IoT devices to keep track of all the public parking spaces in a smart city, then the packets from these IoT devices are allowed to go only to the parking application server that is providing the location of open parking space to a mobile app. If these IoT devices generate any kind of malicious traffic towards any other services, that traffic will be dropped by the network and the appropriate alarm will be generated to parking service provider. The provider can then take corrective actions. This could be as simple as rebooting the IoT device to get rid of potential malware.
Leverage edge computing environments
Emerging edge computing environments provide us another layer of protection against attacks coming from IoT devices. Over the last decade, advancements in computing have really outpaced the advances in networking throughput. In other words, it is cheaper to provide compute capacity where the data exists rather than moving chunks of data to where compute capacity exists. Most of the data is generated by devices or users at the periphery of the network. So, if we provide enough compute capacity at the edge of the network, we can process most of the data at the edge and let only aggregated or critical data traverse to the core of the network. If we put enough intrusion protection capabilities in the edge compute environment, we would be able to filter out most of the malicious traffic coming from the devices connected to that environment. This helps us provide distributed and layered protection to our network and services.
In summary, IoT devices provide us with a wide range of exciting capabilities and services, and this will only expand with the transition to 5G. However, it is very important for us to, not only secure the IoT devices themselves by practicing good security hygiene, but also to secure the network using threat intelligence, machine learning, and by employing managed connections. And as edge computing begins to proliferate, take advantage of these environments to expand intrusion protection at the edge where all of these devices connect.