IoT Devices Earn a “Fail” for Security: The Rise of Automated Attacks and Large-Scale Infections

IoT Devices Earn a “Fail” for Security: The Rise of Automated Attacks and Large-Scale Infections

IoT DevicesIoT devices are considered one of the most dangerous network appliances due to the fact that they are notoriously easy to hack and most owners ignore the necessary security precautions. Vendor notifications, security experts’ analysis, and even system administrator reports all agree on this. The problem persists, as large infections continue to make headlines.

IoT Devices Fail at Security

IoT devices are pervasive and are being offered to both home users and large companies. Regardless of their intended audience, Aberdeen reports indicate that the number of attacks against smart products is rising and a quarter of all cyberattacks will explicitly target IoT appliances by the early 2020s.

In order to understand this neglect, we must understand how IoT devices are supposed to work. Once the device is powered on, it needs to be configured properly so that it integrates both to the Internet and the private local network (Intranet). Depending on their implementation and conditions, different configurations are necessary in order to provide the most effective protection.

The exposed resources that contain sensitive information should only be accessible through a secure account or via a connection that is made through the local network. However, in practical terms we see that most of this functionality is accessible via web panels or remote connections protected with only default or weak credentials. This allows devices to be easily hijacked using automated methods like password brute force attacks. As a result, unsecured IoT devices constantly expose their services and open themselves up to being tracked using search engines like Shodan.

The Recent FreeRTOS Bug Shows How Thousands of IoT Devices Can Be Hacked in Seconds

In October, researchers identified a multitude of FreeRTOS security bugs that allowed hackers to abuse IoT devices. This discovery is one of the most useful illustrations of inadequate IoT security right now. FreeRTOS is among the most common operating systems used by IoT devices; disclosure of these vulnerabilities made a large percentage of smart products automatically vulnerable to attack unless they received an update after the fact. In total, researchers identified a total of 13 bugs within the base operating system alone. Their nature ranged from remote code execution, information leakage, and denial-of-service along with one with unspecified functionality.

Following public disclosure of the flaws, the FreeRTOS support team issued the necessary patches. The problem is that not all vendors implement fixes such as these in a timely manner. And even if each IoT device manufacturer releases a patch, not all users will apply them. Because most devices lack an auto-update option, device owners will need to take the initiative to stay on top of their IoT devices’ security. They’ll then need to follow step-by-step update guides, which can be complex.

It goes without saying that the consequences of IoT intrusions can be devastating. Many IoT devices currently perform duties related to security or automation. Given such functionality, attackers can not only monitor compromised smart devices but also reconfigure them in ways that render them useless. For example, bad actors can manipulate security cameras and alarm systems to turn off live feeds or disable sensors. If the attack proves successful, burglars can then easily break into physical stores or homes.

Types of Attacks Against IoT Devices

Burglary is certainly one possible consequence of a compromised IoT device. But it’s not the only one, especially when attackers decide to go after a large number of smart products. With these types of attacks, bad actors commonly pursue one of three goals:

  • Botnet Recruitment – Attackers connect vulnerable IoT devices to a malicious network called a “botnet.” When instructed, bad actors will conduct a DDoS (distributed denial-of-service) attack using the botnet to take down systems or entire networks. Such a campaign can seriously disrupt the operability of a business. Let’s take the many iterations of the now infamous Mirai botnet, which has evolved into a family of malware threats that recruit vulnerable IoT devices. The end result is a massive international network of hosts that can be used to launch devastating DDoS attacks capable of taking down targets such as corporations and government agencies.
  • Device Hijack – Malicious actors can compromise IoT devices and then shut them down in order to adversely affect the network. In the case of production environments, hijacking devices can thereby sabotage the whole facility. Take into account that all IoT devices are part of a network that interacts with other hosts by providing them with services. Using only a few lines of code, a cloud hosting solution can be reconfigured into distributing dangerous malware to all available hosts.
  • Land and Expand – The IoT devices are used both as network entry points and for controlling physical security appliances. What this means is that successful infiltration will expose the entire network and all resources contained within it. Once they have a foothold in a network via an IoT device, intruders can spread laterally to other devices, including computers and servers, to access information such as sensitive user data, IP, credentials, and confidential corporate data. In addition, and as I described when the devices that are responsible for physical security are hijacked, attackers can move laterally to physical security devices that will allow physical access to a secured location. Examples include door access controls, security cameras, and control gates.

Security Teams Must Take Extra Steps to Secure IoT Devices

Consider the fact that IoT devices are already placed in hospitals and that any tampering with them can cost human lives. Some of the devices infected with ransomware during the WannaCry epidemic were imaging nurse call systems, infusion pumps, patient monitors, and gateways. Given their vulnerabilities, and the ease with which bad actors can take advantage of them, it’s clear that not enough is being done to strengthen IoT security.

Statistics show that despite this worrying fact, IoT devices are projected to grow to a very large percentage of the total Internet-connected appliances. Infections of these smart products will likely continue, as there is no apparent change of behavior by the device manufacturers and vendors.

There is no single solution to the IoT security problem as new vulnerabilities and weaknesses are identified daily. Merely patching known bugs is not enough as not all of the attacks are carried through network exploits. System administrators need to carefully plan and coordinate how the smart infrastructure is integrated and how it fits in the deployed network infrastructure.

The IoT devices, by definition and purpose, act as network servers – they provide certain functionality and, just like regular servers, their work needs to be monitored. This can be done by configuring the necessary network monitoring solutions in order to watch for suspicious behavior that can reveal a possible network intrusion and malicious network activity.

Also, whenever possible, use two-factor authentication alongside the best security practices for setting up account credentials on all accessible infrastructure. This will significantly decrease the possibility of brute force and dictionary attacks.

In short, security teams need to assume that IoT devices are inherently poor at securing themselves, so you must take added steps to protect other network devices and the data stored there.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton