24 Jan IoT… The Internet of Hacked Things
Ok, we’ve got trust issues. We admit it. As networking guys, when it comes to the Internet of Things (IoT), we see the benefits but operate on the assumption that every device – no matter how small or insignificant – has already been hacked; you just don’t know it yet.
If a piece of equipment is collecting and exchanging data with embedded software or electronics and using your network to do it, you’re a few hacked keystrokes away from potential disaster. But can you safely utilize IoT and capitalize on its many advantages without risking security? The short answer is yes… and no. First, some recent history.
One of the most massive attacks impacting some of the most popular websites on the planet, occurred just a few short months ago. According to Brian Krebs of Krebs on Security, the attack was carried out with the help of hacked CCTV video cameras and digital video recorders (the kind in use by large and small businesses, hospitals, financial institutions, the government… you name it). By using these devices to attack Dyn, an infrastructure company that powers some of the Internet’s biggest sites, hackers were able to impact global giants like Amazon, Twitter, and Netflix, among others.
The attack’s origins can be traced back to Mirai, a malware strain that had targeted Krebs’ own site in September 2016 in an attack that was almost twice the size of the biggest attack Akamai, Krebs’ security provider, had ever seen. The hacker behind Mirai, decided to share the wealth, publishing the Mirai source code for like-minded hackers to use in launching their own massive attacks. And launch an attack they did, with the help of seemingly innocent IoT devices.
A Matter of Life and Death
The healthcare industry is already making use of IoT, and IoT devices in the industry have already been targeted by hackers. A lot of the devices at a patient’s bedside, like heart rate monitors, blood pressure monitors, medication dispensers and IV lines are their own IoT devices and can be vulnerable depending on the network they sit upon.
St. Jude Medical (not affiliated with the hospital of the same name), has been called out as a potential victim for cyber attack on its implantable cardiac devices. If hacked, the STJ cardiac devices could malfunction, run at a dangerously rapid rate, or result in premature draining of device batteries.
The Risky Business podcast recently discussed the issue with Dan Guido, the head of Trail of Bits, who says security vulnerabilities were originally uncovered by MedSec. Published reports suggested that attacks on STJ would require less skill, and could be directed randomly at any device within a 50 foot radius of the company’s “Merlin@home” IoT monitoring devices.
According to Guido, picking the right target is key in these attacks, as it tends to work best when the target is in a highly-regulated industry like healthcare, where the government regulating agency may step in and issue penalties against a company that is not adopting reasonable cybersecurity measures.
Securing Your IoT Devices
The safest route to take is to assume that your IoT devices are already vulnerable. Most manufacturers simply aren’t committed to your security. But that doesn’t render you totally defenseless.
Separate your IoT devices from your other networks, and monitor your IoT network continuously to make sure the equipment is using steady and appropriate bandwidth. If you see a spike, something’s going on, and it’s probably not good. Keep in mind that your devices almost certainly have vulnerabilities and if one is detected, act accordingly and immediately. Consider the security cameras example mentioned earlier. These types of devices have a lifespan of about 10 years so essentially, you have a network of security cameras panning your hallways and parking lots for at least a decade, providing some guy in a dark room wearing a hoodie and sunglasses, an entry point to the lifeblood of your business. Protect your network.
What Can You Do?
Cisco’s Jasper platform is a leader among IoT service platforms, making it possible for companies to quickly launch and monetize IoT services globally. The company offers insights on the existing challenges and makes recommendations on best practices that help companies to overcome them in its white paper, “Best Practices for Implementing Global IoT Initiatives.”
They outline six best practices for integrating IoT into an organization:
- Automating the day-to-day tasks necessary for monitoring and managing connected devices
- Implementing real-time monitoring for connected devices to enable rapid issue resolution
- Opting for detailed reporting to fully capitalize on data to drive rapid and accurate decision-making
- Utilizing BI (business intelligence) to contain costs for IT and other support services
- Providing always-available service for customer satisfaction
- Capitalizing on new revenue opportunities by entering new markets and expanding your business globally
Additionally, Level3 Communications, which operates fiber networks throughout the world, provides some additional IoT security suggestions:
- Use strong authentication
- Eliminate non-essential services (or at least disable them prior to installation)
- Use devices with secure protocols to support encryption
- Implement protocols that can verify data integrity, such as signatures
- Plan for continuous upgrades to mitigate the risks that tend to plague connected devices
- Properly secure hubs and other central access points
Trust. The Internet of Things is a great thing but manufacturers are asking us to put an inordinate amount of trust in the things they’re selling. As we’ve seen time and time again, blind trust is not without its perils.