Mirai might be the most infamous attack on IoT devices – around half a million IoT devices were compromised and co-opted into the botnet – but similar stories are legion: cameras, doorbells, door locks and thermostats and almost any type of connected device you can name has been hacked and used to spread malware.
In many instances, compromise was achieved by failure to implement the most basic security precautions. Mirai used a list of less than 100 common factory default usernames and passwords and its perpetrators were aided and abetted by Shodan, a search engine that enables anyone to find and identify devices connected to the Internet.
According to ZDNet, Shodan can locate and identify a wide range of IoT connected devices around the world such as “webcams, security systems and routers.”
CNN Tech further explains that many of these devices have little security and often “use ‘admin’ as their user name and ‘1234’ as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.”
IoT Devices are the First Line of Defense
So, as long as a mechanism such as Shodan exists, the first line of defense for any IoT network will be the devices Shodan can detect and identify. Configuring these devices with unique IDs and passwords is the blindingly obvious first step.
According to Crytomathic, device hardening is no more than good housekeeping: “Hardening is the process to eliminate a means of attack by patching vulnerabilities, turning off non-essential services and configuring systems with security controls such as password management, file permissions and disabling unused network ports.”
Such precautions should be universally implemented, but much more can be done to stop the hackers at the very edge of an IoT network. This can be done by hardening the devices to add defenses beyond the basics: defenses that make them much more resistant to compromise.
Delivering IoT Security Through Device Hardening
This technique, device hardening, is one of 13 examined by Forrester Research in its TechRadar report Internet of Things Security, 2017 that it judges to be the most relevant and important technologies for delivering IoT security.
However, device hardening does not get a great rap. Here is what Forrester has to say:
“While IoT device hardening has potential to deliver strong security benefits, it is still a nascent technology area and one with potential for high costs and complexity. The above-average resource requirements and lack of maturity and standards means it will take one to three years for IoT device hardening to reach the growth phase.”
Forrester concludes: “IoT device hardening is still only relevant to higher security requirement use cases and not as applicable for general enterprise IoT scenarios.”
For Forrester, device hardening means a whole host of features that need to be designed into a device from the outset. Unfortunately, achievement of these runs counter to the objectives driving the design of many IoT devices: low cost and low power consumption.
Standards for Hardened Devices
One way to keep costs down, as Forrester notes, are standards, which Forrester says are lacking in the case of device hardening. However, there is some light at the end of the tunnel.
The Internet Engineering Taskforce has developed Constrained Application Protocol (CoAP) for use in resource-constrained Internet devices, such as wireless sensor network nodes.
According to the CoAP Overview website, “CoAP does not just pay lip service to security, it actually provides strong security. CoAP’s default choice of DTLS [Datagram Transport Layer Security] parameters is equivalent to 3072-bit RSA keys.” The site explains that CoAP “still runs fine on the smallest nodes,” and “has been designed to work on microcontrollers with as low as 10 kilobytes of RAM and 100 kilobytes of code space.”
According to IoT Agenda, CoAP is available and being deployed. They go on to explain that “the IoT realm is widely using CoAP as a protocol for home automation and in numerous industrial applications. It’s also used for managing devices using The Open Mobile Alliance’s (OMA) Lightweight machine-to-machine (LWM2M) protocol, and other organizations – including The Open Connectivity Foundation and ZigBee – are tapping CoAP as a core protocol for their frameworks and product implementations.”
That’s the good news. The bad news is that standards for other technologies that could secure low power, low resource devices remain in development. This Network World article lists several of them and notes, “while standards are proposed, debated and ratified, IoT device makers are shipping vulnerable devices with either the best available security features or as many as can fit their development schedules.”
Secure Protection at the Edge
However, on a more positive note, the development of these standards does mean that, while the Internet will remain at risk from easily compromised IoT devices, anyone building an IoT network a few years hence should be able to find devices with a good level of security; devices that will provide a high level of protection right at the edge of their network.
And even in a best-case scenario – where all future devices incorporate the best available security they are able to support – with the exponential growth of IoT, there will always be newly discovered vulnerabilities and billions of vulnerable devices just waiting to be discovered by Shodan and exploited for ill intent.
This underscores the importance of IoT devices supporting software updates, to remedy discovered vulnerabilitie after the fact. For example, devices that were victims of Mirai could be software updated to stop functioning until the default user name and password are replaced, thus disrupting the attack.
- Blockchain for IoT Security: Potential Still Unrealized
- The Potential of API for IoT Security
- Securing IoT: The Potential of Public Key Infrastructure
- Securing IoT : Threat Detection using Security and Behavioral Analytics
- Securing IoT: Segmentation At Scale
- Securing the Internet of Things: Identity in an IoT world