IoT Insecurity: 6 Common Attacks and How to Protect Customers

… there are typically no security mechanisms at the IoT endpoint, and the attacker can remain hidden within a traditional enterprise security framework.

Mitigating IoT threats typically requires that the enterprise upgrade firmware and closely manage components. Both of these tasks can take a substantial amount of time, which is one reason IoT security is a great opportunity for partners.

Let’s look at how a successful attack might happen.

Attackers commonly scan for vulnerable connected devices. Once found, they propagate an attack, like a worm, to compromise a large number of devices in a short amount of time. For example, the Mirai botnet has been used to compromise millions of IoT devices. Additionally, Mirai has been used to launch DoS attacks on cloud and network infrastructure. The DYN-managed DNS service infrastructure was attacked by Mirai-controlled IoT devices and ended up generating an estimated 1.2 terabits per second of traffic.

My team recently worked with a leading ISP that was attacked by a variant of Mirai. The attack exploited a command injection vulnerability in the TR-069 protocol on port 7547. Since this port was open and accessible from the internet, it enabled an outside attacker to mount a large-scale infection attack, rendering thousands of devices unusable. During the course of our investigation, we discovered another Mirai attack wave targeting routers that were using a default username and password combination.

These impacted devices were used as part of a DDoS campaign that targeted the ISP network infrastructure. The large-scale DoS originating from these devices within the network effectively choked the links and reduced the quality of service to its consumers, thus impacting business and consumer confidence in the ISP.

The above example clearly demonstrates the problem with default device configuration and weak passwords. As many IoT devices offer out-of-box connectivity, most users remain blissfully unaware of the inherent security risks — which is where partners come in.

Readying Cloud Security for IoT

As your enterprise customers move toward multicloud architectures, workloads must be segmented, and policy-based controls need to be applied on the connections between various workloads; however, these fundamental cloud-security controls are not enough. If an attacker penetrates the cloud, he might be able to blend with allowed traffic to move laterally from a compromised IoT device to a more attractive target.

First, some basics. Many IoT devices lack integrated security controls, which makes them attractive targets for the following exploitations:

• Passwords: Most IoT devices have default passwords baked into firmware that provide attackers with direct access to device. The remaining devices are typically protected by weak passwords that make them easy targets for brute-force attacks. Look for the ability to reset passwords, and make sure it happens on each device.
• Protocols: IoT devices use a wide variety of protocols for local and remote-server communications. An insecure implementation of any protocol may allow attackers to eavesdrop on messages. For example, MQTT (message queuing telemetry transport) is a popular publisher/subscriber protocol, used as a broker service to exchange messages between clients. An insecure broker will allow attackers to compromise the IoT network managed by the service, so watch for the most up-to-date versions.
• Interfaces: Some IoT devices use a restful API interface that allows the sensor to upload information over the internet. An insecure implementation potentially allows an attacker to access private information. The Google NEST thermostat weather-update service that leaked the home location of users is a prime example of an insecure restful API interface implementation that attackers were able to use to their advantage. Almost all IoT devices provide an interface so that it can be managed it from the cloud, web or a mobile device. If the interface is vulnerable, attackers can extract sensitive information, do account enumeration and mount injection attacks, which might provide the attacker complete control of the device.

Beyond these, to prevent an attacker from moving deep inside the network and blending in with legitimate traffic, enterprises need …