The recent distributed denial-of-service (DDoS) attack against DNS service provider Dyn, built of Internet-connected DVRs, video cameras, and other embedded systems, has focused the minds of security experts on the huge threat posed by Internet of Things (IoT) devices. It's the second recent massive DDoS attack, and it's the perfect lesson to make the "IoT threat" discussion concrete.
But the lesson isn't really about DDoS. Today's debate is dominated by the huge attack platform created by compromised IoT devices; chain together hundreds of thousands of connected cameras, and you can generate the largest DDoS attack the world has ever seen. But systemic IoT security flaws leave us vulnerable to many kinds of attacks. DDoS may be the least of our worries.
The same vulnerabilities that make IoT devices susceptible to being leashed into a botnet also make them the perfect points of entry into our data centers and clouds. To understand the scope of this threat, consider the range of embedded systems in use today — industrial and personal equipment that is now being connected to networks to make them smarter, more convenient, and more efficient. From GPS trackers to point-of-sale systems, connected light bulbs, manufacturing robots, and connected power supplies, more and more devices within organizations are exposed to the Internet. This exponentially increases the attack surface of organizations.
This threat isn't new. The hackers that breached Target back in 2013 got in through the firm managing Target's HVAC systems, then moved laterally to the point-of-sale system that they exploited to capture customer credit cards. And researchers at Black Hat have demonstrated vulnerabilities in the SCADA systems used to control oil rigs.
Despite this history, we're still seeing embedded systems produced with glaring security flaws. Case in point: October's massive DDoS attack was enabled in part by hundreds of thousands of connected video cameras shipped with default passwords. Why aren't we getting the message?
Part of the problem is that we've been building these devices (light bulbs, HVACs) for years,and we’ve never had to design them for this kind of security before. But even worse, these devices aren’t designed to be updated — who thinks of updating light bulbs? This means that even when a vulnerability becomes known, it can be incredibly difficult to patch because the systems aren't designed to be patched.
Those connected cameras that powered the recent DDoS? Well, even if users wanted to update that weak default password, the only way to do it would be to update their camera’s firmware, which requires a manufacturer update. And there's no established mechanism to do this.
It’s not as if we’re about to simply stop using connected systems to solve this problem — the efficiencies created by these devices are simply too great.
Defending our Systems
Instead, we need to begin defending IoT devices just like every other processor connected to our networks. You have to assume that attackers will get in at some point, monitor your IoT devices for compromises, and work to segment those IoT devices away from the rest of your network.
First, we've already seen intruders use IoT devices to move laterally through a data center to reach their real target. We can make this much harder if we use microsegmentation to shut down unnecessary connections between those IoT devices and the rest of the network. By limiting attacker movement, we greatly reduce the value of IoT devices as attack vectors, even if they could still be compromised.
Second, stopping the spread of diseases from our IoT patient zeros isn't enough. If you can't rely on these devices to remain secure by themselves, you can use security policy to create a new kind of visibility. By defining devices' legitimate operations, we can increase our ability to detect and respond when an attacker uses them in a way that breaks that policy.
Taking these steps is particularly challenging for embedded systems because they often run on stripped-down operating systems designed for maximum speed and minimum functionality. Unfortunately, this isn’t likely to change, because IoT consumers demand inexpensive solutions (remember, connected light bulbs must compete on price with normal light bulbs).
If directly monitoring embedded systems themselves will be challenging, we can still protect our networks by focusing on the devices to which they are connected. This won't eliminate intrusions, but it would help us respond and contain intrusions quickly and minimize the damage they cause.
Ultimately, we must develop more secure IoT platforms, and customers can have some influence on this by choosing secure products and holding developers to account. But these are both long-term efforts. In the meantime, segmentation and visibility — both on IoT devices and on the devices they connect to — are our best tools for managing the threats created by the expanding attack surface of IoT devices. This will help prevent our devices from being subverted into criminal botnets and help intruders seeking to use them as a launchpad into our most sensitive systems.
- Changing IoT Passwords Won't Stop Attacks. Here's What Will.
- 8 Ways IoT Manufacturers Can Improve Security
- DDoS On Dyn Used Malicious TCP, UDP Traffic
Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.