The Internet of Things (IoT) does not represent the future of IT: it’s already here. From factories to hospitals, traffic systems and connected cars to the smart home, IoT devices and systems are deeply embedded into the world around us. It’s estimated there will be over 30 billion of these connected “things” in the world by 2020. But an escalation in real-world attacks against consumer-grade devices has prompted new warnings about security gaps.
Channel players should keep a close eye on developments. There are already opportunities here to add value for partners and end users by promoting IoT security. These will only increase as the risks from insecure devices go mainstream.
An FBI warning
The latest high-profile alert comes from the FBI, which claimed at the start of August that cyber-criminals are actively looking for exposed IoT devices including routers, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices. It said that hackers are keen to use them as proxies to maintain anonymity and obfuscate network traffic. This in turn allows them to conduct illicit activity like click fraud, trading illegal goods and sending spam emails, without fear of being spotted.
That’s not all. IoT devices can also be conscripted into botnets which can be rented out, sold or used directly for credential stuffing, DDoS and crypto-mining attacks. This is not new. Back in 2016 the Mirai botnet hijacked hundreds of thousands of insecure consumer IoT devices, corralling them into launching DDoS attacks. One attack, against DNS provider Dyn even managed to take some of the biggest names on the web offline temporarily; including Spotify, Twitter and Reddit.
Mirai works remarkably simply: it scans for IoT devices running the Telnet protocol, trying a list of 60 known credentials. Because users often aren’t prompted to update their default log-ins, it was able to remotely take over any device protected by one of these insecure passwords. Since Mirai went public in 2016, multiple new strains have been detected with names like Okiru, Owari, Sora, Omni and Wicked.
Time to take notice
According to Symantec, attacks on IoT devices rose 600% from 2016 to reach 50,000 in 2017. Attacks are targeted not just at consumer devices but also the corporate sphere, where hackers could hijack endpoints to sabotage factory operations, infiltrate corporate networks to steal data or remotely control infrastructure to spy on the boardroom. That’s the threat associated with IoT: because these systems power everything around us from connected cars to smart kettles, attacks in the cyber sphere could have a major impact on the physical world.
But the IoT ecosystem is a complex one where multiple layers need to be addressed to help reduce cyber risk. There are opportunities for the channel to add value at each stage:
1) IoT manufacturers need to build security in right from the start of the design and development of new kit. This could include simple steps like making sure factory defaults have to be reset before use, or more complex security at the firmware/SoC layer.
2) Corporate and consumer users need to ensure they securely configure any new devices. There’s still confusion around what best practice entails in this area.
3) Ongoing management and security is the final key piece of the puzzle. IoT security solutions are already permeating the market which can be plugged in at the cloud server, network or endpoint later.
As IoT endpoints become an increasingly important part of the world around us, the demand for security solutions to mitigate threats will only grow. Smart channel players will already be planning how best to serve the market.
© CONTEXT 2019