Countering the attack

Is someone listening to your private conversations using your smart TV? Are criminals controlling your fridge? Or are DDoS attacks stopping you accessing the internet? Claire Woollacott, a technical consultant at Actica Consulting, asks: What are you going to do about it?

The internet of things (IoT) is a system of networked ‘things’ that can collect and exchange data. These devices can be virtually anything containing electronics, software, and / or sensors, such as computers; mechanical or digital machines; vehicles; buildings; or even people and can improve value to customers through intelligent feedback and added functionality.

The abundance of these devices has massively increased the amount of data (personal, commercial and ﬁnancial) that companies, and even individuals, can access, leading to big data being widely used to achieve goals - even in politics, with data scientists from Cambridge Analytica assisting Donald Trump in the US Presidential Election and the Leave Campaign during Brexit.

The amount of data available, even to traditionally non-technical companies, immediately raises the question of security, yet the security of IoT devices is often an afterthought. As the market is relatively immature, the main aim of most IoT companies is to rapidly, and cheaply, get devices to market.

Devices which will become integrated into the IoT often use old, unpatched versions of software, applications and even operating systems when sold, and are not typically updated or managed regularly - some not even allowing ﬁrmware updates. These IoT devices are usually lacking the rigorous security testing that is second nature when building more well-established devices.

In general, IoT devices are produced by smaller companies, by staff without extensive security skills, and often make use of third-party untested, uncertiﬁed electronics. These issues are compounded by the fact that the owners of these smart products often do not change default passwords - or if they do, they don’t choose sufficiently strong ones. This leaves the door wide open for attackers who could, for example, target the RFID tag in your passport to steal your personal information while you wait for a ﬂight, or invade your privacy, allowing paedophiles to spy on your child using your baby monitor.

There are also physical as well as virtual attacks, where the braking system on your car could be hijacked, for example, or your implanted insulin pump or pacemaker, putting you at the mercy of your attacker. By connecting to your home router, hackers can access all the devices in your home - which could even include your home alarm system - or locks!

Attacks

The number of IoT devices is projected to reach more than 50 billion by 2020 making the IoT a very appealing target for wide spread impact. Attackers use malicious software to scan the internet for machines which are easier to infect such as those secured only by factory default credentials. Once contaminated these machines can be incorporated together to form an ‘IoT botnet’ able to perform highly destructive illegal activities without the owners’ knowledge.

When most people think of botnets they imagine hacked computers, but in reality a large proportion are often made up of devices such as smart TVs, wearable ﬁtness trackers, fridges and even medical implants. Cyber criminals use these botnets to execute attacks, disseminate malware and distribute spam messages.

Over Christmas 2013 a cyber security company observed a botnet made up of more than 100,000 consumer devices that assisted with sending 750,000 spam and phishing messages in just two weeks¹. The most common form of attack is a distributed denial-of-service (DDoS) attack, where often thousands of unique IP addresses are used to prevent access to a device, website, service, network or other host connected to the internet.

Early last year, DDoS attacks reached such size that single attacks utilised over 145 thousand hacked cameras with traffic peaking at over a terabit a second, even with many countermeasures in place².

As the scale of attacks increase there have been calls for internet service providers (ISPs) to take proactive steps to combat the problem. Although some of the most substantial attacks have used malware (such as Mirai), which encrypts contaminated traffic to reduce detection, ISPs helped improve the situation by notifying infected customers when they observed malicious traffic. ISPs do not have the resources to clean up infected devices, but once informed most customers took steps to remedy the situation themselves.

Although practically impotent to purify networked machines, in 2009, 14 ISPs in the Netherlands took the drastic step of essentially quarantining infected users by precluding contaminated devices from connecting to their network, and Australian ISPs reduced polluted customers’ bandwidth.

Additionally, ISPs reduced spam by blocking emails sent using SMTP ports known to be commonly employed by certain botnets, (client email applications usually receive messages via different protocols utilising different ports). Both methods probably resulted in a tsunami of expensive help requests, but similar methods have also been employed in India, Brazil, and Turkey resulting in noticeable reductions in spam output.

However, these advances were drowned out by the sheer number of bot-infected devices that have emerged since the Mirai source code was published last year, a move that has been speculated to be in response to the elevated crackdown.

Countermeasures

With this mountain to overcome, strong countermeasures are needed. Most cyber security experts agree that the key way to improve IoT security is to improve the security of the appliances themselves. Quality and frequency of ﬁrmware updates should be improved as well as ensuring default passwords are randomised and not factory set in bulk.

There could even be prompts at installation to remind, or even force, you to change passwords. However, the added inconvenience could lead to users opting for simple passwords. Another solution may be to produce an accreditation or certiﬁcation route for IoT devices, but even then, as consumer surveys have indicated that the average consumer is unaware of the issues related to botnets, customers may purchase less secure IoT devices as they will ultimately be cheaper. Thus, perhaps the only way to solve this problem is to educate customers, so that they assess IoT products for the potential damage they can do as well as the beneﬁts they pose. This may change the tide and ensure manufacturers bear security in mind.

Advances are being made in this respect, as the Internet of Things Security Foundation (IoTSF), founded in September 2015, aims to improve security of the IoT by encouraging understanding of the risks and the best ways to combat them. It is relatively easy to understand the issues around defending privacy and safety, so the general public will probably be happy to pay more for things like certiﬁed baby monitors and cameras, and they would probably expect regulation for safety-related devices, such as those controlling aspects of vehicles. However, although you, as the savvy BCS reader, probably understand the need to secure peripheral devices, would it be clear to the masses?

Would the general public care about reducing DDoS attacks, which, in general are not aimed in their direction? Maybe not. Even some corporations are guilty of not considering security within their office networks, as printers don’t seem particularly hazardous to the business.

However, DDoS attacks are not the only worry for ancillary devices; perhaps the education should include examples of hackers using insecure toasters to gain access to wiﬁ details, and customer ﬁnancial information being stolen from Target by hackers gaining access through the heating system³. Hopefully increased education should lead to customers demanding secure devices, meaning the number of insecure devices produced will diminish. Nonetheless, this can never entirely solve the problem of IoT security, as no networked machine is impenetrable.

References

‘Internet of Things Devices at the Center of Biggest Cyber Attack in History - Smart Cities’, Memoori, 31/10/2016
‘DDoS attack that disrupted internet was largest of its kind in history, experts say’, The Guardian, 26/10/2016
‘Target Hackers Broke in Via HVAC Company’, Krebs on Security, 05/02/2014.

Further research

‘Data that turned the world upside down’, Motherboard, 12/04/2017.
‘Donald Trump’s campaign shifted odds by making big data personal’, Financial Times, 26/01/2017.
‘Brexit vote site may have been hacked, MPs say in report’, BBC News 12/04/2017.