IoT device security is not just about the devices themselves
By the end of this year, there will be more than eight billion internet of things (IoT) devices connected worldwide, according to analysts Gartner – from electricity meters to smart fridges. While IoT device security is of course essential, the challenge of securing IoT is a task for everyone in the ecosystem.
Every manufacture needs to step up and take ownership of securing their own devices. While that should go without saying, we have to state the obvious – with the plethora of connected devices joined the internet every day, there is currently no way to police this issue – and it will continue to hamper development of B2B IoT.
Beyond IoT device security, vendors and network operators need to be aware of what happens when their devices are compromised and commandeered into the massive botnets we have already begun to see.
Beaming, a UK B2B ISP recently stated that the rise in the implementation of IoT devices is contributing to the rise in cyber-attacks. According to the business provider, attacks on remote devices increased three-fold during the last quarter of 2017, compared with the same period last year.
Beaming has found that 70% of attacks targeting connected devices such as building control systems and networked security cameras. Industry commentators have, for some time, been pointing out some of the flaws in IoT deployment : just last November, a survey from Cradlepoint demonstrated that companies weren’t taking IoT security weaknesses seriously.
Sonia Blizzard, managing director of Beaming, drew attention to the vulnerability of such systems. She said: “2017 was the worst year yet for cyber-attacks on British businesses, whose IT security systems are under constant pressure from hackers and malicious computer scripts seeking to exploit any vulnerability.
“With most attacks targeting relatively simple devices connected to the Internet of Things it is possible many companies are already infected and don’t know about it. Keeping anti-virus software up-to-date is a good first step, but it isn’t enough to combat the growing threat,” she said.
According to Tara Seals from Infosecurity magazine, Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.
According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.
Of course, not all botnets are bad bots; but Spamhaus’s Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.
“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.” This will likely correspond with an uptick in DDoS attacks.
“The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever.”
Bottom line – vendors need start taking IoT device security much more serious and operators need to be able to identify and neutralize the impact of compromised IoT devices.