The phantom threat of the IoT: the Internet of Things (insecure) in 2017
If we believe the last report Hype Cycle for Emerging Technologies, the Internet of Things (IoT) has not yet reached the peak of exaggerated expectations (Peak of Inflated Expectations) and will not reach the productivity plateau (Plateau of Productivity) within five to ten years. And yet, he is already being talked about in a positive way. It ranges from funny stories, like trying 11 hours to boil tea water, to more disturbing news, like this record-breaking Distributed Denial of Service cyberattack (DDoS, Distributed Denial of Service) against the website of journalist Brian Krebs through the – also record – attack against Dyn (provider of a DNS service infrastructure essential to the functioning of the Internet) which resulted in a giant web blackout on the East Coast of the United States, or even more recently the attack on home ADSL routers which deprived nearly a million Germans of Internet connection. The common denominator of these cyber attacks? Vulnerable terminals connected to the Internet and in the crosshairs of botnet Mirai or its variants.
If the advertisements broadcast at the end of the year are an indication of what the gifts offered at Christmas were, we can guess that a large number of connected devices have found themselves at the foot of the tree. We can also deduce, without going too far, that the software with which these new gadgets are equipped, are no less vulnerable. It’s the IoT phantom menace.
Faced with all these cameras vulnerable to SQLi, these DVRs with non-modifiable default password, these home security systems that can be hacked at will, whose firmware cannot be upgraded, and with those routers whose configuration can be changed without authentication with an unencrypted connection, the question is what can be done.
In the face of the looming threat of larger and more disastrous attacks, we might turn to neo-Luddism, and forgo technologies or actively engage in destroying them. Of course, the threat would be neutralized, but this “solution” is just as impractical as the prognosis is unrealistic. We could also make this equally utopian hypothesis that all of a sudden we’re going to outdo ourselves in programming, magically making all these flaws disappear. Here are some concrete tips that will be useful to you whatever your job.
Are you a product manager or a program manager? Be inspired by Benjamin Franklin: “It is better to create a code to prevent rather than to cure”, a not reckless position, but which constitutes an excellent starting point. You must integrate security and its life cycle into the design of your products. It might be scary, but it’s actually easier (and, even better, more economical) than it looks. Are you skeptical? Read John Overbaugh of InfoSecure.io’s excellent recommendations on the Secure Development Lifecycle (SDLC) on a Budget. In terms of costs, keep this point in mind: technically and conceptually modifying a product in the last phase of a project because the safety audit carried out during the validation of its life cycle was not good will cost you cheaper than redesigning and creating a product after it’s marketed.
Are you a developer or an IT engineer? Bad encryption is little better than no encryption. Try the challenges of the Cryptopals site (Cryptopals Crypto Challenges). Learn how to perform penetration testing because you can be sure someone’s “Red Team” will attack your software. So, we might as well take the lead. By being aware of how app attacks happen, you will learn how to avoid common errors and write more secure code.
Are you an architect, engineer or network or security operator? It is high time to worry about “MANRS”. Yes, it’s natural to want to do well over the holiday season, but the commonly adopted Internet Society standards for routing security (MANRS, Mutually Agreed Norms for Routing Security) provide a simple framework that keeps the “I” of “IoT” upright throughout the year. The “MANRS” recommendations put forward four actions and any network manager must accomplish the second: prevent any IP address traffic from spoofed sources. The impact of the DDoS cyber attacks that occurred in 2016 could easily have been limited if traffic from spoofed addresses had been relegated to the Internet. If, as a good New Year’s resolution, you want to get more involved, seriously consider segmenting the network. Vulnerable IoT devices are perfect targets and are stepping stones to other segments of your infrastructure. If segmenting the network is no easy task, it’s your best defense against easy-to-hack IoT devices.
James plouffe is chief architect at MobileIron and technical consultant for the popular Mr. Robot series which draws direct inspiration from the work of Charles Dickens, as well as other authors. It has an electric kettle, but not connected.