In a recent article about U.S federal policy concerning IoT security, Justin Sherman identified several gaps in both cybersecurity and privacy policies. As Sherman has highlighted:
The United States federal government, like the rest of the world, is increasingly using IoT devices to improve or enhance its existing processes or to develop new capabilities altogether. But its policies on how to use those devices haven’t nearly kept pace. Not only is this problematic in theory—imagine, for instance, what would happen if thousands of electrical grid IoT sensors were hooked up with weak passwords and no strong encryption—but this has already threatened national security: Back in January, when researchers tracked U.S. military personnel over the Internet via their wearable devices, we saw the real dangers of using IoT devices without robust data privacy protections. This happened again over the summer when researchers traced military and intelligence personnel from around the world through the fitness tracking app Polar. In short, the government continues to implement IoT systems, as do their employees—that isn’t going to stop—but it’s happening without the proper policies to ensure it occurs safely.
At the same timeframe, California was to be the first State to sign a bill to set cybersecurity standards for web-connected devices. The California bill seeks to address some of the security flaws identified during the Mirai botnet attack, setting baseline cybersecurity standards for IoT devices where none exist. Although this bill could lay the groundwork for stronger IoT cybersecurity legislation at both the state and federal level, the bill’s language is too vague to be effective, and it offers an example of how not to approach IoT security.
Security researcher Robert Graham said that despite the good intentions, the bill “would do little improve security” because “it’s based on the misconception of adding security features.” He went on to say that “the point is not to add ‘security features’ but to remove ‘insecure features.'” According to Ruth Artzi, the bill would only protect against “the most basic automated threats.”
The security researchers highlight that current IoT security policies have fundamental gaps to address the emerging IoT security threat environment. Let us have a closer look on the latest trends in IoT security in order to understand the problem.
First of all, the threat landscape.
Though IoT security technology maturity is on the rise in industrial settings, transport and automotive, government and public services, Forrester has predicted more damaging attacks for 2018. Regarding the nature of the attacks, the report predicted that those trying to cause damage and chaos for political, military and social reasons are expected to be preceded by monetary ones.
Another report from Gartner warns that “new threats will emerge through 2021 as hackers find new ways to attack IoT devices and protocols, so long-lived things may need updatable hardware and software to adapt during their life span.”
Bruce Schneier explained in a post that IoT integrity and availability threats are far worse than confidentiality threats. He further noted that there are serious security challenges regarding embedded systems and IoT devices because they are “riddled with vulnerabilities” and there is no good way to patch them. On top of unpatched systems and the issue of software control, Schneier highlights that there are challenges regarding the highly interconnected nature of IoT and the automation/degree of autonomy of these devices.
The aforementioned are confirmed by a recent study by Kaspersky Lab. In accordance with the report, cybercriminals’ interest in IoT devices continues to grow, and in the first half of 2018, we had three times as many malware attacking smart devices as in the whole of 2017, whereas in 2017, there were 10 times more than in 2016. While the most popular attack and infection vectors against devices remains cracking telnet passwords by brute force attacks and downloading malware of the Mirai family, cybercriminals are constantly on the lookout for new ways of infection. An example of the use of “alternative technology” is the Reaper botnet, whose assets at the end of 2017 numbered about two million IoT devices. Instead of brute forcing telnet passwords, this botnet exploited known software vulnerabilities.
In accordance with the same report, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users.
Another type of payload is linked to cryptocurrencies.
Given the low processing power of smart devices, the victim IoT device acts as a kind of key that opens access to a high-performance PC. On the other hand, the VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.) and sending it to the cybercriminals’ server. The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks but often as home routers.
The aforementioned analysis combined with the huge attack surface of IoT devices creates an explosive mixture. According to Cisco, there are currently 4.9 billion connected devices today with an expected 12 billion by 2020. As consumers and businesses adopt more IoT devices and threats continue to multiply, securing those devices easily and at scale has become a daunting task.
The second challenge to be addressed by policy makers at all levels is the business side behind IoT devices.
Device manufacturers operate in a world of physical devices where security is limited to what is only essential in order to keep costs down and delivery times short. This results in device security being implemented improperly not because the device maker doesn’t want to do it but because they are not effectively guided on how to do it.
The latter brings into discussion the fact that device security is often omitted or left as an afterthought because it takes too much effort and cost to understand and implement it. Here is a big misinterpretation of where the cost lies: it isn’t in the software required to effectively meet security standards but just to understand security itself. Education. Personnel security awareness.
Needless to say, the more connected critical infrastructure becomes, the more interesting it gets for the “bad guys,” especially in times of state-sponsored attacks. While security gets more “intelligent” and leverages artificial intelligence that’s more integrated/embedded and holistic, including new technologies that promise to bring a more secure IoT, the human dimension and common sense remain important.
The analysis highlights one thing, as Justin Sherman correctly said:
There is an urgent need for clear industry standards for IoT device cybersecurity and data privacy that promote innovation. We need security education and awareness programs for all employees. We need robust cybersecurity cultures that supplement these technical and operational practices in addition to cultures that respect and value the protection of data privacy. But above all, the U.S. federal government should address the emerging IoT security landscape in their IoT security and privacy policies.
About the Author: Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years worth of experience in managing IT projects and evaluating cybersecurity. Anastasios has been honoured by numerous high ranking officers for his expertise and professionalism and he was nominated as a certified NATO evaluator for information security. He holds certifications in information security, cybersecurity, teaching computing and GDPR from organizations like NATO and Open University and he is also a certified Informatics Instructor for lifelong training. Anastasios’ interests include exploring the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible. Currently, he works as an informatics instructor at AKMI Educational Institute.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.