Internet of Things (IoT) devices are the newest round of devices directly connected to IP networks -- and network...
In the past, static connections for networks were first reserved for a limited number of expensive computers, and then eventually made their way to desktop enterprises, users' homes, mobile devices and now, finally, a plethora of IoT devices.
Significant resources were devoted to connecting computers to static networks in the past, but these resources have dwindled in the age of Internet of Things. The minimal resources devoted to connecting these devices to networks has resulted in even fewer resources spent to prevent IoT security threats.
If enterprises haven't been affected by IoT attacks already, they're something that should be on their to-address lists. IoT attacks are inevitably coming, so it is important to learn how best to prevent or defend against them before it's too late.
Understanding the growing number of IoT security threats
If manufacturers and engineers add new technical capabilities to connect their devices to networks for the first time and have not yet learned the hard lessons encountered by more experienced developers, they will inevitably make the same mistakes as their predecessors -- like assuming a network is trusted -- when designing their products, and not plan for security incidents.
While there is little enterprises can do to prevent the security risks resulting from poor manufacturing, evaluating the published software development practices is key to understanding how information security is included in a manufacturer's software development processes. It may even be a good sign if the manufacturer outsourced the part of hooking the device to the network, it would mean there might be a better chance that an experienced software developer using secure development practices did the job right.
It's therefore also important to note that IoT devices are exposed to the same attacks as other Internet-connected devices -- such as denial-of-service attacks or default accounts with default passwords -- and enterprises may have already encountered such issues. While their attack surface may be smaller than a traditional desktop or server, when all IoT devices are added together, even minor security issues will turn into significant problems, much like the issues encountered in the past with printers or SCADA devices connecting to networks.
One major IoT attack disclosed recently was found by Akamai Technologies Inc. Researchers reported distributed denial-of-service (DDoS) attacks that started using insecure IoT device configurations. More specifically, attackers identified how the Simple Service Discovery Protocol (SSDP) can be abused to amplify malicious responses to spoofed IP traffic to participate in DDoS attacks. Researchers noted attackers target network ranges in their scanning and send SSDP search requests to identify IoT devices; the response traffic is then sent to the target network as part of the DDoS attack.
How to prevent and defend against IoT security threats, attacks
On one hand, enterprises should be sure to secure SSDP use. SSDP usage should be limited to specific networks and rate limited to minimize the traffic it can generate under an attack. Enterprises may also want to scan their network (similar to how the Shadowserver Project scans the Internet) to look for insecurely configured devices. If such devices are found, SSDP could be disabled or limited to an approved network. The device may also need an OS or software update to patch any SSDP vulnerabilities.
On the other hand, enterprises must also know how to defend against basic DDoS attacks. This has been covered in-depth on SearchSecurity.com; DDoS plans should either be in development or already be in place at an enterprise.
However, defending against an IoT-related DDoS attack requires some additional steps. First, strong Internet border protection must only allow approved inbound network connections. If IoT devices cannot be reached directly over the Internet, it is much more difficult to get them to participate in a DDoS attack. If an IoT device needs to be directly accessible over the Internet, it should be segmented into its own network and have network access restricted. This network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem.
Enterprises can detect IoT devices on their networks through routine asset management or vulnerability scans. Any new device that doesn't match a known enterprise device profile could potentially be isolated and have its traffic redirected to a registration portal or network management system that automatically checks device security. This also could result in the device being placed in its own network segment.
Those developing IoT devices should certainly devote more resources to secure development. This includes putting security in device design and configuration. This could potentially result in secure devices by default shipping from vendors, possibly avoiding IoT DDoS security issues altogether. However, as convenience, usability and speed are often more important factors to developers than security, achieving this is likely a pipe dream.
Enterprises and ISPs should also advocate for the adoption of the Internet Engineering Task Force's Best Current Practice 38. BCP38 specifically drops spoofed IP traffic, which will help prevent an unwitting device from participating in a DDoS attack. If an attacker can't send spoofed traffic to the device, the device can't send the network traffic used for the DDoS.
The future of IoT security threats
Many of the devices connecting to networks via IoT have little legacy technical debt for their network connections. With these new devices should come new secure-by-default designs and configurations built on top of a secure-by-default operating system where only the core operating functionality for the device is enabled and secured. New and current developers should address these security challenges in the design of their devices to prevent future security incidents.
However, until that is done, it is up to users and enterprises to take the necessary precautions and put the proper controls in place to mitigate potential IoT security threats.
About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Lewis received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.
Don't miss this comprehensive guide on securing the Internet of Things