The new wave of the internet is among us. We are now in the era of the “Internet of things," (IoT) sensors and devices that connect to the internet from your home IP. Does your fridge have a computer component that tells you the weather? What about a fridge that can connect to your mobile phone through an app? Yep, those fridges are IoT devices too. This wonderful new era with all of the conveniences it gives us comes with new challenges for security professionals.
Here are just a few of the questions you need to ask yourself as a security professional:
- How do we protect these devices?
- How to check for vulnerabilities in the software?Where are these devices located i.e publically reachable or in your corporate network ?.
- Where are these devices located i.e publically reachable or in your corporate network ?.
What and why is the growing concern facing the home user?
Take the example of the home user: This typical user wants a home security system because they want to monitor what happens in and around their home. They purchase a DVR with Wireless Cameras. They then set up the cameras to attach to their wireless home network (wifi). Then they allow access over the internet for the DVR (to record what the cameras catch). Here is where the problem starts - and this is what we have seen time and time again - some users (if not a majority of them) don’t think to change the passwords on the cameras or put an ACL to prevent unauthorized connections to the camera. Now, that home user has just contributed to the IOT issue. Look at what Mirai has done by scanning the internet for devices such as cameras with weak or default passwords in order to exploit them for use as a node on a botnet.
Now, comes another issue with the average home network itself. Most home users and some small businesses use consumer grade "off the shelf" routers. Well, sorry to tell you, but most home routers from manufacturers like Dlink, Belkin etc., have been found to have major security holes. If you don't believe me, check it out here: http://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-security-1453136285 The article offer insight into this big problem.
Unlike your operating system that automatically updates, a router's firmware is usually a manual process. This is not always an easy task, especially for a home user. Here is where the problem emerges. The manufacturers often do not patch the holes in the first place!
So add poor security practices to vulnerable equipment and a lack of awareness and you have trouble. This is a recipe for disaster and we are starting to see the effects of it now that the last massive DDoS attack against DYN was found to be traffic from many IOT devices. Check this link for a good article on the details of the findings.
In the end, IoT is here to stay so we need to adjust our ways of thinking about security. Many of these issues were here before IoT like the poor use of passwords and default settings. Poorly written software causing security risks have been around for a long time, but the difference now is that there are a huge amount of devices. Now you usually have more wireless cameras and gadgets than computers. The vast amount of devices is making attacks like DDoS's exponentially more powerful.
How do we fix this?
- Better security awareness for the home user
- Better written software that is regularly checked and patched for holes
- Devices that have a randomized default password such as the MAC or serial that forces the user to change the password before the device works
The above is a starting point but is not the only solution; every case if different.