Traditionally, InfoSec Teams had a difficult, but straightforward, job: they need to understand their assets, know what they were connecting to, and separate them from the outside world. That standard has changed, many devices introduced into the workplace by employees, visitors, partners, and other outsiders. Any device that can connect to a network, whether it is or isn’t built to be malicious, can cause disaster to both the data and networks IT Security is responsible for protecting.
So, what exactly is The Internet of Evil Things? First, we need to define evil, by which we mean malicious or harmful… purposefully or not. For the purposes of this report, we are defining a “connected device” as any device that can connect to a network or other devices via a wired or wireless signal.
IT security professionals (rightfully) expect that connected devices will be a major security headache in 2017 – but still struggle to get a grasp on how to account for, track and monitor those devices, a report from Pwnie Express found.
IOT—LIFE AFTER MIRAI
On October 21st, 2016, a massive Distributed Denial of Service (DDOS) attack took down large portions of the Internet across the United States. It quickly became clear that the only way an attack that large could have happened was with an unprecedented number of computers. In this case, connected devices like webcams were being used as unwitting accomplices in the biggest DDoS attack in history. How were they being “recruited”? A clever malware that took advantage of unprotected, web-connected devices with weak or non-existent passwords. Like other botnets, anybody’s devices could be a part of the zombie mob.
Historically, over 60% of IoT devices are consumer devices; which is troubling considering that consumers are the group least likely to consider or improve the default security of their device. An ESET and National Cyber Security Alliance study of 15,527 consumers revealed that 43% of end users had not changed the default passwords on their home routers. Consumer IoT devices include any internet enabled device, such as webcams, printers, routers, mobile devices, etc. There is currently a quarter of a billion CCTV cameras worldwide. In many countries, including the United States, most home users who purchase television or internet access are provided with a company specific DVR or router. These IoT devices often rely on generic or default administration credentials that most end users neglect to change. Other devices have hardcoded vendor default credentials that end users cannot change.
Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or remote login services like Telnet or SSH, default credentials may pose a great risk to a device.” “In this case, default credentials can be used to “Telnet” to vulnerable devices, turning them into “bots” in a botnet.”
Attackers hacked IoT devices via SSH or Telnet account exploiting known vulnerabilities or using default passwords that were not changed by the owner of the targeted systems.
We can find out the flawed IoT devices by using Shodan search Engine on the internet https://www.shodan.io/
What Is being Done To Secure The IoT?
The IoT security issue has also given rise to new alliances. A conglomeration of leading tech firms, including Vodafone, founded the Internet of Things Security Foundation, a non-profit body that will be responsible for vetting Internet-connected devices for vulnerabilities and flaws and will offer security assistance to tech providers, system adopters, and end users. IoTSF hopes to raise awareness through cross-company collaboration and encourage manufacturers to consider the security of connected devices at the hardware level.
Online Trust Alliance recommendations:
- Developers and manufacturers:
- Proactively communicate to customers any security and safety advisories and recommendations.
- Products which can no longer be patched and have known vulnerabilities should either have their connectivity disabled, the product recalled and/or the consumers notified of the risk to their personal safety, privacy and security of their data.
- Provide disclosures, including on product packaging, stating the term of product/support beyond the product warranty
- Update websites to provide disclosures and security advisories in clear, everyday language.
- Retailers / Resellers / eCommerce Sites:
- Voluntarily withdraw from sale products being offered without unique passwords or without a vendor’s commitment to patching over their expected life
- Apply supplementary labels or shelf-talkers advising buyers of products with exemplary security data protection and privacy policies.
- Notify past customers of recalls, security recommendations and of potential security issues.
- Consumers and users have a shared responsibility. Users need to:
- Maintain devices and stay up to date on patches.
- Update contact information including email address for all devices.
- Regularly review device settings and replace insecure and orphaned devices
- ISPs should consider the ability to place users in a “walled garden” when detecting malicious traffic patterns coming from their homes or offices. In concept, this would allow basic services such as 911 access and medical alerts, while limiting other access. Such notifications can advise consumers of the harm being incurred, and the need to make changes, replace devices or seek third party support.
- Fund outreach and education, working with trade organizations, ISPs, local grassroots organizations, media, State Agencies, and others to raise awareness of the threats and responsibilities. Focus on teachable moments such as at the time of purchase, inclusion in billing statements and emails to installed base of users and notices to ISP customers.
- Prioritize “whole-of-government” approach to the development, implementation, and adoption of efforts and initiatives, with a global perspective. Coordinated efforts will help to ensure the industry can innovate and flourish while enhancing the safety, security, and privacy of consumers, enterprises, and the nation’s critical infrastructure.