October 22, 2018
IoT Security Update: Attacks, Standards & Top IoT Defenses
The need for Internet of Things security (IoT security) and IoT security standards has never been higher. IoT threats and attacks are on the rise increasing by 600% in 2017. Recent IoT based DDoS attacks are increasing monthly as a result of the growth in IoT units shipping. Cyber criminals are always looking for new platforms from which to stage attacks and the number of IoT units could be over 3 Billion by 2020.
Another good indicator of IoT security risks can be seen by looking at the rate and type of vulnerabilities discovered and reported in the news. In a recent 30-day survey of security threat news, IoT vulnerabilities and attacks comprised 15% of articles published. Here is a list of recent IoT threat news over only a 30-day period.
|Top IoT Vulnerabilities/Attack News within Recent 30 Days|
1) Multiple D-Link routers open to complete takeover with simple attack
2) Microtik router software flaw allows remote execution of code
3) Sony Smart TV bugs allow remote access. Future Crypto-mining is possible.
4) Samsung & Roku Smart TV bugs discovered by Consumer Reports testing lab
5) D-Link WAP software flaw allows remote code execution
6) IoTs used as proxies to create fake social media traffic (likes, dislikes etc). Spread by worms
7) 83% of home and small office routers have known open-source vulnerabilities
8) Nine NAS bugs open up security vulnerabilities in Lenovo and Iomega units
9) 3 Times the # of IoT malware samples found in 2018 vs 2017
10) Critical vulnerability in Cisco Video Surveillance manager
Obstacles to IoT Security for Device Manufacturers and Security Vendors
Of course, security vendors are trying to respond to increased IoT security threats. But, these vendors are challenged to offer bullet proof security for IoTs because:
- IoT devices are made by 1,000s of manufacturers making it difficult for security product vendors
- IoT devices do not use a standard platform that can be secured by one software solution. And even if they did, each IoT device offers custom application functionality which presents its own risks.
- IoT devices have limited system resources making robust security difficult for device manufacturers and potentially security vendors trying to develop embedded security
- Many IoT companies do not take security seriously or use best security practices. This lack of security in the design and ecosystem including means bad coding practices, poor access control, lack of privacy control, spotty updates, lack of 3rd party control
- There are no established standards that are universally adhered to (but this will change)
- There is no required security testing before a new IoT can be sold
- IoT devices are frequently installed in insecure ways in companies and in homes
What About IoT Security Standards for IoT Device Manufacturers?
Won’t IoT security standards fix everything? No, it won’t, but it would help. IT departments and home owners need to do their part as to secure IoTs in their environment. Network isolation, proper configuration, strong access control are just a few areas that must be controlled by IT admins and home users.
Leading the IoT security standards effort are consumer groups engaged in the day to day testing and standards definition of consumer products. “The Digital Standard” is a standard created by Consumer Reports, Disconnect, Ranking Digital Rights & Cyber Independent Testing Lab. The Digital Standard is an ambitious, open, and collaborative effort to create a digital privacy and security standard to help guide the future design of consumer software, digital platforms and services, and Internet-connected products.
Emerging IoT Security Standards
Other groups are trying to define IoT security standards at the federal, state and industry standards level. Here are some of the standards in development or recently passed.
- A weak new California IoT Bill (Senate Bill No. 327)– Passed September 28, 2018. This is a very weak bill focused on vague references to creating secure products with appropriate access control authentication and privacy
- NIST International Standard for IoT (Under review) – Broad standard for government and commercial use covering all types of IoT devices with the goal of confidentiality, integrity and availability (standard security regulation objectives). It includes a detailed definition of what IoTs are and maps various IoTs into eleven (11) NIST cybersecurity core areas. The NIST standard focuses on the IoT devices and how those products should support traditional risk-based security standards.
- Pending 2017 U.S. Federal Bill (Internet of Things (IoT) Cybersecurity Improvement Act of 2017) – Will require contractors who provide IoTs to comply with NIST IoT standards
Who is Testing IoT Devices & Advocating for IoT Security
Lots of companies offer testing services on IoT devices but how many are getting testing to a strong security standard? Right now not many. Since security standards start with IoT code design, security design and development standards these must be tested as software is being developed. This form of software application testing that is available from software testing companies. IoT finished product testing is being provided by companies such as Consumer Reports who are testing against “The Digital Standard” for security. This form of testing has just begun.
The American Consumer Institute Center for Consumer Research is advocating for enhanced testing and their tests show that 83% of consumer Wi-Fi routers have security vulnerabilities.
How can IoT Device Manufacturers build More Security Devices?
IoT device manufactures are being driven be compliant with what is emerging as a common set of IoT security standards. Governments, standards groups and large customers are leading the charge.
Similar to GDPR and cyber security regulations like HIPAA, IoT security has two major goals.
- Built to be Secure with Security Over Time
- Products Should Preserve Consumer Privacy
Security Focus is on:
- Access Control:
- Unique default passwords
- Users must change passwords to strong passwords
- 2-factor authentication is required for devices
- Password system resists attempts to break it or break into the device
- Encrypted Information Storage and Communications
- Known Exploit Resistance – Browser attacks, hacking attempts,
- Security Oversight – Manufacturer security audits., 3rd party audits
- Security Over time – Supply chain security, Automatic updates of firmware for critical releases, Notifications of new important releases
- Vulnerability Program – Mechanism to report, track and fix vulnerabilities
- Privacy Control – Visibility, Control, Disclosure, Reasonable data retention, 3rd party data sharing control
- Other areas of Focus include:
- Hardware assurance
- Software assurance
- System security design and engineering
- Security automation and monitoring
Top 9 Defenses Against IoT Security Threats
Here is a short list of what companies should do to secure their environments as more and more IoTs are introduced into their networks.
- IoT Vendor Selection – Find out what your IoT vendors are doing to be secure. Have a vendor selection checklist
- Visibility – Discovering the devices on their network continuously. Categorize and report
- Secure Network Design – Segment IoTs into separate Networks and isolate as much as possible
- Secure Installation and Configuration – use best practices
- Access Control – 2-factor or better authentication, Strong passwords, Privilege Control
- Ongoing Automatic or Supervised System Updates (to fix vulnerabilities) – Test before install if possible
- Advanced Malware Protection – At Gateway, IoT specific
- Automated Monitoring of Entire Network for Compromised IoTs
- Quarantine unauthorized or compromised IoTs
For other information on how IOT security fits into the big picture, check out our two articles on 2019 Security planning.
A host of new or updated solutions have or are being introduced to provide the above security protection. NACs are experiencing a resurgence with the goal of providing visibility, monitoring and control of IoTs. APT, network AI, SIEM and even NG firewall solutions can offer monitoring of network traffic looking for rogue IoTs, malware detection, phone home communication and DDoS etc. Multi-factor authentication solutions are also important though may be built in to IoTs.