Friday 21st Oct 2016 has been billed as the first large scale cybersecurity incident from the IoT world. The widely reported attacks involved inserting malware into devices to turn them into a network of controllable bots that was directed to attack websites. One of the principal targets was Dyn the DNS provider to Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others. More than 10 million devices were alleged to be hacked and almost all (96%) of them were IoT devices, according to Level 3 Threat Research Labs.
These devices are typically headless (no screen) but are full-fledged (linux) computers . The IoT devices typically are more constrained with microcontrollers instead of CPU and real time micro OS like tinyOS, Contiki, mbed etc. However, there is no question that too will come. The source code of the Mirai malware has been open sourced fueling an arms race between attackers and defenders.
There are important public policy and regulatory aspects in the repeated vulnerability of the Internet but here we provide some advice on minimal steps we need to take to reduce basic vulnerability.
Network Operators (ISP, Cellular)
Network operators may end up being the spider at the centre of the web and play a central role in securing the IoT.
Cellular operators have traditionally not been very forthcoming on security and have long grappled with vulnerabilities in Signalling System 7 (SS7), which allows all operators to talk to each other. SS7 – the central-nervous system of the worldwide mobile network – connects our phones and allows us to move around while using them. More people use SS7 than the internet. This 1975 vintage system is full of vulnerabilities. Google “SS7 hacks” to see how WhatsApp or Telegram can be tapped. In IoT, we are dealing not just with information and money but life and death and the operators need to up their game quickly and by quantum jumps.
In the cat and mouse game being played out in cyberspace, the classical intrusion detection mechanisms are being bypassed. Attackers launch a few probes and if they fail, go away and attack some other device and come back to this device a bit later. Unless we correlate activity across large slices of time it becomes difficult to detect this behaviour. Attackers are simulating humans! The network operator can however detect sustained attempts by a bot across multiple sites. Operators should be much more proactive in shutting such bots down and blacklisting concerned ISPs. A proactive action to protect sensitive end-user installations can be a great value added service.
Smart Home User
1. Change default password in your home router. Ensure the trapdoor used by your service provider (ISP) and device manufacturer (Router maker) are locked down and not using defaults or easily guessed passwords. Since many routers (based on Linux variants) are already infected, you may even consider a factory reset or changing to a more secure version.
2. Review devices directly connected to Internet, i.e. those that have an IP address and are directly addressable. DLNA, uPnP are suspect. Disconnect where possible. Check with your supplier if an on-premise Hub can be a gateway and hide all devices from the Internet. This is the recommended architecture. See recommendations for device manufacturers below.
3. Arrange to shut down all incoming internet connections. At the minimum review and remove telnet, ssh etc. May need technical configuration at your router.
SmartFactory and SmartBuilding
4. Review recommendations 1-3 for SmartHome. Do a root and branch review of all routers. Upgrade and use trusted computing and hardware root of trust in securing WiFi and internet access points.
5. Review logging capability of the IoT network. IoT devices use non-Internet protocols like Bluetooth and IEEE 802.15.4-based ZigBee, Wireless HART, ISA 100.11a etc. For an in-depth look at IoT protocols, go here. Security information and event management (SIEM) tools are a bit rudimentary for these IoT networks. Consider open-source tools like Foren6 as a stop gap and work with your vendors to encourage development of proper tools. This is a good space for new products. (Entrepreneurs, behind every crisis is an opportunity!)
6. Segment the IoT network from the general internet connected one. Place the segmented IoT part under more aggressive and conservative controls.
7. Ask your IoT providers about security. An architecture which hides IoT devices behind a segmented network and funnels all incoming connections through a managed choke-point is a minimal starting point. It is very difficult and probably impossible to secure all IoT devices. More effort should go to managing the network and controls need to extend beyond firewall rules to commands and API calls. Encrypted outbound traffic needs extra care.
8. Consider an architecture which provides security. See https://t.co/mLQPh81a1l for an intro to IoT Stack
9. Most important is to hide IoT devices from the internet behind a IoT gateway. Many start-ups especially for the Smarthome build or roll out custom gateways. If you are connecting IoT device through BLE to smartphones or newer Routers, review and block incoming Internet connection.
10. Security has not been a major consumer concern. Our research indicates fatigue is setting in. How to configure and how to trust what works, when even Yahoo, LinkedIn and JP Morgan etc are hacked? For IoT, an incident movement is starting. See IamtheCavalry.org. Opportunity for brand positioning and innovation? How do you sell a car on safety? Some random ideas:
Consider a sticker on each device which provides auto-configuration credentials in a QR code for the segmented (Home) network. User scans using a smartphone and it configures the App or home router, IoT gateway. Consider a configuration-less PKI like DeviceAuthority.
Consider super-user activity (like switching over-the-air upgrade off), which changes critical functioning of device and builds defence like 4 eyes (two operators have to approve) or 2 factor authentication ( OTP).
Consider logging and forensics at the gateway.
11 Security in Design to Deployment: Consider what level of concern you need to address for your brand and engage skilled consultants to audit and review the threats and controls and the architecture you have adopted. Avoid temptation to roll your own crypto algorithms or update and patch delivery method. These are complex and non trivial. Open source middleware and IoT platforms are coming up (Kaa project, Iotivity , platfromio etc) and explore them. It may even be worthwhile to use a commercial platform.
Guest post by Arvind Tiwary & Vishwas Lakhundi.
Arvind Tiwary is chair TiE IoT Forum and member Taskforce on IoT security set up by CISO platform and IoT Forum.
Vishwas Lakkundi is an IoT Specialist & Consultant and a member of Taskforce on IoT security set up by CISO platform and IoT Forum.
Views expressed here are personal.