The Internet of Things (IoT) is transforming businesses around the world, making them safer, more efficient, productive, environmentally friendly and agile.
But there’s a real danger that these new systems could be used to not only infiltrate corporate networks or be hijacked to participate in botnets, but to cause widespread panic and endanger lives across new smart city environments.
The Australian government in 2016 announced its $50 million Smart Cities and Suburbs Program to encourage projects that improve the liveability, productivity and sustainability of cities and towns across Australia. As projects get closer to becoming a reality, this threat is very real.
To mitigate the threats posed by our new IoT-powered world, action is needed at every layer of this complex ecosystem. That means driving manufacturers to develop more secure devices, organisations to implement and configure them more securely, and the security industry to step up with practical solutions to keep systems safe going forward.
On the radar
Many businesses are expressing concerns about an IoT market that’s expanding fast, but driven by commercial and functionality demands rather than security. Many are concerned about the exposure of personal data, botnets and network compromise.
They certainly have cause to be concerned. There are more than eight billion IoT devices in the market today and over 20 billion expected to be deployed around the world by 2020, according to a variety of sources. With over seven billion specifically for use in businesses, the size of the corporate attack surface is growing rapidly.
The Mirai attacks of 2016 demonstrated that many devices can be conscripted into botnets simply by trying known and factory default username and log-in combinations. The infamous IoT botnet took down major websites via massive distributed denial-of-service (DDoS) using hundreds of thousands of compromised IoT devices.
As security pros warned, however, exposed endpoints could also be hijacked as a useful stepping stone into corporate networks. The issue is that many IoT devices are left unprotected and unpatched, despite being always-on and connected to the public internet. Many IT departments don’t even know they exist if they’ve been purchased by other enterprise groups.
The FBI recently issued a new warning about IoT devices. It claimed that everything from networked-attached storage (NAS) devices to satellite antennas, routers and IP cameras could be hijacked and used to commit click fraud, credential stuffing and spam campaigns, or simply to obfuscate the origin of malicious traffic.
“Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses,” the FBI claimed. “Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.”
While these are all legitimate concerns, what happens when the IoT device is itself the final target?
When smart cities attack
Recent research from Threatcare and IBM X-Force Red uncovered a staggering 17 zero-day vulnerabilities in smart city products from three little-known IoT companies: Libelium, Echelon and Battelle. These included some basic mistakes including default passwords, authentication bypass flaws and SQL injection vulnerabilities. Even worse, hundreds of these vulnerable devices were found to be exposed to remote access by anyone on the internet.
The researchers claimed that this combination of poorly engineered kit implemented insecurely, could allow for potentially “catastrophic” so-called “panic attacks” designed to interfere with the early warning and city management systems in place in many urban centres.
To this end, IoT systems could be exploited to silence flood sensors to prevent a warning being issued, or create panic by triggering one when there is no danger. They could do the same with radiation leak warnings in areas surrounding nuclear power stations. They could also create chaos in cities by hijacking traffic management systems and/or set off building alarms
As more of our cities come to depend on IoT systems designed to make them better places to live, they become exposed to digital threats. Simply ignoring the threat is the quickest way to a real-world scenario of the sort painted above. Instead a cross-industry effort is needed to tackle these threats.
It starts with manufacturers getting serious about security. The truth is that IT buyers are increasingly wary of purchasing IoT devices because they can’t be trusted. That means there’s a huge opportunity for device makers to differentiate by investing more in security.
Buying more secure products is one thing, but organisations must also do their bit by ensuring they are implemented in secure systems. Leaving them exposed to the public internet is just asking for trouble. With increasingly limited in-house resources, this is where IT security managers could seek the advice of third-party experts, MSSPs and trusted vendor partners.
Fortunately, IT security vendors are catching up to the growing threat. IT managers should look for automated, centralised solutions that can enforce the full gamut of security controls right down to the IoT device level. Combine these with best practice security including regular pen testing and app scanning, strong password enforcement, regular patching of devices and network segmentation.
Pretty soon, you’ll begin to form the foundations of a strong, resilient IoT network. With the stakes this high, organisations can’t afford to keep their collective heads in the sand.
Mark Lukie is a senior sales engineer for Australia and New Zealand at Barracuda Networks. He has over 16 years’ experience in networking, security, backup/disaster recovery, public cloud platforms, as well as systems integration.