Nobody doubted that IoT security was a disaster when, well, disaster struck — the Mirai botnet took down swaths of the internet through a fairly simple, preventable attack.
But experts believe there are going to be more susceptible devices in 2017 than ever — and hackers will be on the lookout.
“Sometime during 2017 we should anticipate the release of an automatically propagating IoT worm that installs a small, persistent malicious payload that not only continues to infect and propagate amongst other vulnerable IoT devices, but automatically changes all the passwords necessary to remotely manage the device itself,” said Gunter Ollman, CSO at Vectra Networks. “The owners of the now locked-out devices will be forced to pay a ransom to the mastermind behind the worm in order to learn the new password, thereby taking the ransomware threat to the next level. To prevent this worm — and future versions – device owners will not only have to preemptively change default passwords of the devices, but also manage the patch level of the kernel software on the device to prevent exploitation of new vulnerabilities.”
Rick Howard, CSO at Palo Alto Networks, noted that while security researchers have been sounding the alarm for years, we need to make sure we’re not missing the bigger picture.
“The thing is, the network defender community as a whole already knows how to prevent about 99% of playbooks that exist on the internet — including the 2016 DDoS attacks,” Howard said. “We have not been diligent as a community to deploy those prevention controls across the entire community. Therefore, in 2017, in an effort to stop future large scale attacks leveraging IoT devices, we’ll see the network defender community begin deploying these controls for better prevention.”
However, beyond the tried-and-true security basics such as encryption and strong authentication, Ryan Lester, director of IoT strategy at LogMeIn, says the IoT security problem needs a new solution.
“IoT brings with it a whole new set of security challenges that can’t be solved by retrofitting current security solutions and following the same old rules,” Lester said. “Companies must think thoroughly about how to manage one-to-many relationships, which is an outlier in today’s more frequent 1:1 device relationship.”
Matt Rodgers, head of security strategy at E8 Security, agreed, adding that traditional tools simply won’t be effective in the connected world.
“In 2017, monitoring an IoT environment with traditional tools will no longer be an option, both cost-wise and technically for the IoT owner,” Rodgers said. “With so many devices doing so many things, an attacker will have a very large surface area to find and exfiltrate personally identifiable information, which will increase the quantity of attacks and further reduce the potential cost of each attack for the attacker.”
Geoff Webb, vice president of strategy at Micro Focus, said that Mirai was potentially just the beginning — things could be a whole lot worse next time around, and it’s time for regulations to come up to snuff.
“With the number of IoT devices expected to reach into the billions, the potential scale of a well-coordinated IoT attack could be used to present a very real threat to the critical infrastructure of this country, online banking, emergency services, and commerce in general,” Webb said. “We should expect IoT security to quickly become part of the national security agenda, and to see governments starting to evaluate the role of legislation and safety standards for internet connected devices.”
Jeannie Warner, security strategist at WhiteHat Security, agreed, “I’m expecting/hoping to see a shift from the term ‘security’ to ‘safety’ as well as an increase in legislation mandating increased rigor of IoT security testing. I think that NIST’s SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. New guidelines will ideally force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organization manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure product.”