With tens of billions (yes, tens of billions) of new Internet of Things (IoT) devices going into service over the next few years, IT managers everywhere are now faced with yet another security challenge – making sure all of these vital additions to smart buildings, healthcare delivery, government services, and many, many more, are in and of themselves secure. And since even vital security services can depend upon IoT, the time is indeed now for a serious exploration of the issues, threats, and strategies required to make and keep IoT secure.
This guest post from Aerohive wireless and mobile expert Craig Mathias of Farpoint Group frames this vital discussion and explores what IT needs to consider and what actions need to be taken to successfully enter and exploit (sorry for the pun) the era of IoT.
Did you hear the one about a bunch of wireless cameras bringing down the Internet?
Unfortunately, and very sadly, this is not a joke. Internet performance management services company Dyn was recently the victim of a distributed denial of service (DDoS) attack that was prosecuted by malware known as Marai. Marai is a botnet, meaning it commandeers devices connected to the Internet and then makes them do its bidding, in this case attempting to drown critical services in otherwise-useless traffic so that their availability is severely impaired.
This attack degraded a number of popular Web services, and took some time to resolve. It’s not believed that any permanent or critical damage was done, but such remains a possibility in the future.
But what makes this particular security situation (there have, of course, been many, many other attacks as well) so notable for the moment is that Marai infected what are popularly known as Internet of Things (IoT) devices, like consumer-grade security cameras, printers, routers, baby monitors, and more. The initial infection was possible in this case because the operators of these devices didn’t change the default password on a given device – a surprisingly-common situation, at least to those of us who are networking and/or security professionals who’ve taken Security 101.
And while we might also consider that a fundamental issue with the architecture and implementation of the Internet itself also highlighted here, IoT security is clearly now center-stage. And that’s a good thing.
Why? Because there’s unfortunately been a running assumption among many in the networking, and even analyst, communities that IoT security is somehow not worthy of front-burner consideration. I was recently asked by another analyst – literally – how much security trouble could a light bulb cause?
I’ll avoid repeating my indignant half-hour lecture here, but let’s look at just a couple of ways that a security failure in a smart, IoT-based light bulb might result in mischief or worse. And apart from serving as a bot in something like the DDOS attack described above.
Like sitting in the dark? Like lights seemingly randomly going on and off? How about lights that won’t turn off, especially when energy good practice and even regulations so demand? And, again, this is “just a light bulb.”
How about adversaries listening in on microphones that would otherwise seem beyond compromise? Cameras that enable the nefarious to peek where they’re not welcome? It’s time to get with the program here – IoT security is a very, very real challenge that, when compromised, is just as potentially damaging as any other security breach. Scary? Yes – really, really scary.
Security is, to be fair, the one area within IT where no one is every really “done.” New threats and challenges are constantly evolving and appearing, and security must thus be viewed as a process, not a result, while always remaining a vital goal.
That being said, the basics of security are well-established: encryption, authentication, physical security, and integrity (resilience). But because absolute security is and will remain an abstract, theoretical concept, the goal must be to make unauthorized access, information theft and/or modification, and tampering and disruption so difficult that only actors with access to nation-state-level resources and missions (read on) could successfully prosecute an attack of any form – and, hopefully, not even then.
We must thus make breaking security so difficult that attackers simply give up – yes, what’s needed is national-defense-level security, with only trusted staff allowed access, and, yes again, even to cameras. Maybe, as we’ve learned so far, perhaps especially in the case of cameras!
Let’s really bring the gravity of this issue home. You might have heard about the Stuxnetworm, an electronic-warfare attack clearly prosecuted by nation-states against IoT equipment (which, to be fair, was not connected to the Internet in this case; life would have been far easier for the attackers had it been such). And also about the case of the Jeep Cherokee that was commandeered over a wireless network. I own one of these vehicles, by the way, and I applied the security patch. But I won’t own it much longer!
IoT devices are typified by limited (but still often substantial) processing power, long battery life, broad environmental and task applicability, often wireless and even mobile connectivity, quick-connect support, wide-ranging communications topologies, and (of course) an IP stack. Perhaps the limited range of function and a (misplaced) assumption of security and integrity have led to the limited management visibility and attention herein noted, along with the negative consequences. But with tens – and eventually hundreds of billions — of IoT devices attached to the network and exposed to the Internet, it’s time to appreciate that IoT security requires the same high level of attention as any other aspect or element of security.
As we’ve discussed above, we cannot afford to be fooled by the limited applications functionality implied; it’s now clear that many IoT devices can wreak havoc on networks, even to the point of critical (if to this point temporary) damage.
From one perspective, IoT isn’t all that new – after all, we’ve had all manner of automation, process control, telemetry, and sensor-based computing in place for decades. But add Internet connectivity, and security simply must take center stage.
Get Visibility, Control and Analytics of all IoT devices on your network now!