Can you help customers cope with threats to new technology?

July 16, 2018

8 Min Read
IoT Security

Nedbal-Manuel_ShieldX-Networks-150x150.jpg

Manuel Nedbal

By Manuel Nedbal, Founder & CTO, ShieldX Networks

You’ve seen the explosion in connected devices and IoT technologies ranging from smart homes to drones and even autonomous bots. Gartner says there will be more than 20 billion IoT devices in the wild by 2020, as enterprises rapidly adopt connected devices for better process control and to improve their bottom and topline growth. Billions of connected devices will revolutionize how data is processed and consumed, but don’t underestimate the associated security risks for your customers.

Imagine a SMART bulb or HVAC unit in a secure network operation center beaconing its own radio protocol. Connected devices like these provide back doors for an attacker who might be sitting in the parking lot or building, one that might allow access to an otherwise secure environment. Because traditional security controls and network-security devices are not designed to detect and mitigate these types of threats, IoT devices pose a serious risk to enterprise infrastructure if they aren’t properly managed. Partners need to figure out how to help.

Common IoT Attacks

Our ShieldX Labs team has performed detailed analysis of IoT device threats and vulnerabilities. The following list outlines the most common attacks we’ve seen on IoT devices.

  • Privilege escalation: Attackers are exploiting IoT device bugs, design flaws and operating-system or software-application-configuration oversights to gain elevated access to resources that are normally protected from an application or user.

  • Eavesdropping: If a weakened connection between an IoT device and server is found, an attacker might be able to intercept network traffic and steal the possibly sensitive information that IoT devices transmit over enterprise networks.

  • Brute-force password attacks: Due to the weakness of most IoT device passwords, brute-force attacks can be effectively used to gain access to the device.

  • Malicious node injection: Using this method, attackers physically deploy malicious nodes in between legitimate nodes in an IoT network. The malicious nodes can then be used to control operations and snoop on the data flowing between linked nodes.

  • Firmware hijacking: If firmware updates downloaded by an IoT device are not checked to make sure they originate from a legitimate source, it’s possible for an attacker to hijack the device and download malicious software.

  • DoS: Hackers are increasingly turning to denial-of-service (DoS) attacks to take companies offline or steal their sensitive data. It has been reported that DDoS attacks increased 91 percent in 2017 thanks to IoT.

  • Physical tampering: Physical threats exist if devices are deployed in environments where it is difficult for the enterprise to control the device and the people who can access it. As the explosive expansion of IoT continues, I expect to see even more sophisticated attacks emerge. I expect that attackers will begin to use compromised IoT devices to move laterally inside a network and bypass a variety of security controls, then pivot to move deeper inside the network. Additionally, IoT devices will be used as an exfiltration route that will allow attackers to send sensitive information to themselves.

The Challenge of IoT Threat Mitigation

All of the IoT attacks listed in the section above are difficult to detect because …

… there are typically no security mechanisms at the IoT endpoint, and the attacker can remain hidden within a traditional enterprise security framework.

Mitigating IoT threats typically requires that the enterprise upgrade firmware and closely manage components. Both of these tasks can take a substantial amount of time, which is one reason IoT security is a great opportunity for partners.

Let’s look at how a successful attack might happen.

Attackers commonly scan for vulnerable connected devices. Once found, they propagate an attack, like a worm, to compromise a large number of devices in a short amount of time. For example, the Mirai botnet has been used to compromise millions of IoT devices. Additionally, Mirai has been used to launch DoS attacks on cloud and network infrastructure. The DYN-managed DNS service infrastructure was attacked by Mirai-controlled IoT devices and ended up generating an estimated 1.2 terabits per second of traffic.

My team recently worked with a leading ISP that was attacked by a variant of Mirai. The attack exploited a command injection vulnerability in the TR-069 protocol on port 7547. Since this port was open and accessible from the internet, it enabled an outside attacker to mount a large-scale infection attack, rendering thousands of devices unusable. During the course of our investigation, we discovered another Mirai attack wave targeting routers that were using a default username and password combination.

These impacted devices were used as part of a DDoS campaign that targeted the ISP network infrastructure. The large-scale DoS originating from these devices within the network effectively choked the links and reduced the quality of service to its consumers, thus impacting business and consumer confidence in the ISP.

The above example clearly demonstrates the problem with default device configuration and weak passwords. As many IoT devices offer out-of-box connectivity, most users remain blissfully unaware of the inherent security risks — which is where partners come in.

Readying Cloud Security for IoT

As your enterprise customers move toward multicloud architectures, workloads must be segmented, and policy-based controls need to be applied on the connections between various workloads; however, these fundamental cloud-security controls are not enough. If an attacker penetrates the cloud, he might be able to blend with allowed traffic to move laterally from a compromised IoT device to a more attractive target.

First, some basics. Many IoT devices lack integrated security controls, which makes them attractive targets for the following exploitations:

  • Passwords: Most IoT devices have default passwords baked into firmware that provide attackers with direct access to device. The remaining devices are typically protected by weak passwords that make them easy targets for brute-force attacks. Look for the ability to reset passwords, and make sure it happens on each device.

  • Protocols: IoT devices use a wide variety of protocols for local and remote-server communications. An insecure implementation of any protocol may allow attackers to eavesdrop on messages. For example, MQTT (message queuing telemetry transport) is a popular publisher/subscriber protocol, used as a broker service to exchange messages between clients. An insecure broker will allow attackers to compromise the IoT network managed by the service, so watch for the most up-to-date versions.

  • Interfaces: Some IoT devices use a restful API interface that allows the sensor to upload information over the internet. An insecure implementation potentially allows an attacker to access private information. The Google NEST thermostat weather-update service that leaked the home location of users is a prime example of an insecure restful API interface implementation that attackers were able to use to their advantage. Almost all IoT devices provide an interface so that it can be managed it from the cloud, web or a mobile device. If the interface is vulnerable, attackers can extract sensitive information, do account enumeration and mount injection attacks, which might provide the attacker complete control of the device.

Beyond these, to prevent an attacker from moving deep inside the network and blending in with legitimate traffic, enterprises need …

… solutions that allow them to evaluate all the data points from the application exploitation to lateral movement, deploying backdoor and exfiltration of data. Some of these events might happen over a span of days if the attacker is trying to evade enterprise defenses; therefore, it’s essential to employ solutions that are able to track the complete kill chain and stop an attack before it can cause significant damage to assets.

Protecting against IoT threats in cloud environments requires that we rethink how security controls are applied and enforced. To protect against known and evolving IoT threats, partners must have contextual visibility that allows them to monitor different segments of a customer network and apply policy at various boundaries as needed to block lateral movements.

Automation can be used to continuously discover new applications running or new devices connecting to the network, and then apply the appropriate static and dynamic security controls.

Using a microservice-based architecture for cloud security supports the flexibility necessary to discover IoT threats and apply security and policy controls in single, multi- or hybrid cloud data centers. Further, it can be helpful to have a tool that can correlate, learn and provide centralized intelligence and policy-based controls through a single user interface. This leads to a consistent approach across multicloud and highly virtualized environments, simplifies the management of security and reduces the burden on already overstretched partner and customer IT teams.

Bottom line, when customers deploy IoT devices, they come with security requirements that are distinct from traditional endpoint and data-center defenses. As a partner, offering a comprehensive security strategy will allow enterprises to reap the rewards of IoT without assuming the compounding risks.

Manuel Nedbal is founder and CTO of ShieldX Networks. Manuel serves as the engineering and architectural lead for the development of the ShieldX platform, and as its overall technical visionary. In his spare time, he leads the engineering organization, trailblazing inventive new approaches to its structure and processes.

Read more about:

Agents
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like