The internet of insecure things: Thousands of internet-connected devices are a security disaster in the making

internet of insecure things intro
Thinkstock (Thinkstock)

Set and forget

We talked to a host of tech experts about the state of security in the internet of things world, and found out the good, the bad, and the very ugly.

internet of insecure things 1
Thinkstock (Thinkstock)

Under attack by ... cameras?

The past few weeks have seen some of the largest DDoS attacks ever recorded—and they came from some strange places. A French webhost was hit by a surge of traffic from a botnet made up in part of hacked digital video recorders, and it seems the same group might've briefly knocked KrebsOnSecurity offline as well.

The hacked cameras are a perfect example of an iot device: a gadget that's internet capable, and set up right out of the box and then forgotten about—leaving it a tempting target for hackers.

internet of insecure things 2
Thinkstock (Thinkstock)

IoT doesn't have an IT department

The first problem: many IoT devices, like those cameras, are consumer-oriented, which means their owners don't have a security-conscious IT department. "Individuals do not have the purchasing power of a large corporation," says John Dickson, principal of Denim Group, "so they cannot demand security features or privacy protections that a large corporation can of an a product or software vendor."

PC Pitstop Vice President of Cyber Security Dodi Glenn points out that many IoT purchasers neglect basic security measures, failing to change passwords from obvious defaults. And even if they did want to secure their devices, there are limits to what they can do: "You can't secure these devices with antivirus applications."

internet of insecure things 3
Thinkstock (Thinkstock)

Insecurity is baked in

Because IoT is a new field, it's dominated by companies that don't have the same mindset as the manufacturers of mission-critical servers—and that can spell trouble. "Very often, the creators of smart gadgets are small startups," says KeepSolid CTO Vasyl Diakonov, "and they don’t have resources or knowledge to build out sophisticated security."

Ben Desjardins, director of security solutions at Radware, specifically calls out the software end of the equation. "The most challenging aspect of this," he says, "is that many of the IoT devices are being manufactured by organizations that are new to software development, and are likely to have more vulnerable code and immature patch management processes."

internet of insecure things 4
Thinkstock (Thinkstock)

Updates are hard

Security threats are a moving target, the ability to keep up is rare to nonexistent in the IoT world—and that needs to change. "We know operating system vulnerabilities are identified continuously in all the major desktop and server products, and vendors like Microsoft release patches on a monthly basis," says Deral Heiland, research lead at Rapid7. "So why should we not expect the same issue with IoT products? The solution is to expect vendors of IoT technology to implement patching solutions, which allow us to effectively identify and patch their products quickly, just like current OS products vendor do."

internet of insecure things 5
Thinkstock (Thinkstock)

Energy-constrained chips = poor encryption

But in some ways there's only so much software updates can do. "The distinguishing feature of many IoT devices is their very limited computational power," points out John Michener, chief scientist at Casaba Security. "So they frequently lack the auxiliary processing functionality to enable high performance modular math (used by RSA and ECC cryptography) or AES speedup circuitry (used by the AES cryptographic algorithm)." Without access to this encryption, some shops turn to a preshared key-based security, but, as Michener notes, "this approach requires the implementing organization to either have a classic key distribution center to handle the PSK keys for all the IoT devices (a significant operational task) or used shared PSK keys, which makes the entire deployment vulnerable to compromise if a single device is compromised."

internet of insecure things 6
Thinkstock (Thinkstock)

Shared tools = shared danger

Michener told me about some research that his firm did on a variety of IoT devices that he found unsettling. "Casaba has done penetration tests in the general area and found very significant vulnerabilities, some in commonly used shared software tools used in the space," he said. "The extent of the vulnerabilities, which were privately disclosed and silently fixed, is not reassuring."

internet of insecure things 7
Thinkstock (Thinkstock)

Horror lurks in the data center

What does an IoT attack look like in practice in a corporate setting? Chris Richter, senior vice president of global security services at Level 3 Communications, said one company he spoke with that saw a compromise in its data centers—but not in any of its servers. "They were experiencing high-egress bandwidth spikes, and a security audit discovered all of their power supplies (which were IP connected—that is, IoT) had been compromised and were part of a DDoS botnet. Power supplies are large devices that contain code enabling them to regulate power flows. They typically run a Linux kernel that, like many IoT appliances, are IP connected, and thus exposed to external threats."

internet of insecure things 8
Thinkstock (Thinkstock)

Do due diligence

So how can you use IoT devices in your enterprise in a secure way? Well, start by doing your research. Robert Siciliano, CEO of, thinks you should research the security situation of the device manufacturer—not just their philosophy, but their own security at their own facilities. "If the company itself was hacked," he says, "its code could have been released, and that would make its devices that much more insecure."

internet of insecure things 9
Thinkstock (Thinkstock)

Quarantine contact with IoT

Because IoT devices are inherently vulnerable, you want to minimize contact between them and the rest of your infrastructure. "Restrict how and where those IoT systems can communicate, if possible," says Daniel Miessler, director of advisory services at IOActive. "If you have the ability, ensure that they can only talk to the systems they need to."

And systems that are required to connect to IoT devices should be protected. "Any endpoint—desktop, laptop, or server—that has a primary role of an IoT controller/manager and can also touch the internet must be locked down," warns Solutions Architect Sebastian Taphanel.

internet of insecure things 10
Thinkstock (Thinkstock)

Harden your network

"The easiest and most reliable method of protecting endpoint devices and remote is via a VPN," says Julian Weinberger, director of systems engineering at NCP Engineering. "Comprehensive VPN software solutions fit easily into the existing infrastructure and require no additional hardware. Moreover, data traffic is secured at the device itself ensuring no unencrypted traffic ever leaves the endpoint. This can help you keep pace with the growth of IoT connections while ensuring a frictionless customer experience."

"There are also specially designed routers and security devices that will secure your network," says KeepSolid's Diakonov. "If you are really into smart gadgets, a new piece of hardware in your smart home is what you need."

internet of insecure things 11
Thinkstock (Thinkstock)

Keep an eye on the network

Remember, the hacked power supplies we discussed were noticed because of the mysterious bandwidth spikes they put out. "Look for strange spikes in network activity, requests to the internet, connections to known-malicious IP ranges, or malicious payloads in network traffic," says IOActive's Miessler.

Radware's Desjardins says you should invest in "a security solution that inspects encrypted traffic as it leaves the network, as this is a common tactic of malware exfiltrating data."

internet of insecure things 12
Thinkstock (Thinkstock)

Keep your toolbox stocked

Leon Adato, head geek at SolarWinds, suggests three important tools that can help you keep an eye on your IoT devices:

  • "A NetFlow analyzer can track the hundreds or thousands of small conversations IoT devices generate, and monitor which external sites are receiving connections from inside your environment."
  • "An IP address management (IPAM) tool is helpful because IoT devices take up a lot of IP addresses. Your IPAM tool can help automatically identify and report on IoT devices in the course of normal operations."
  • "Deep packet inspection (DPI) is used to analyze packets for the source and destination IP address, port, and protocol. This information can be used to categorize packets by usage—business application, social, streaming media, potentially malicious, etc.—which makes it extremely useful for IoT security information."
internet of insecure things 13
Thinkstock (Thinkstock)

Assess rigorously

If you're setting up an IoT environment, test and assess it from end to end. "A typical IoT framework consists of edge devices like sensors, adapters, beacons etc.; a gateway to communicate with these devices; and a back-end server in the cloud or on premise," says Mandeep Khera, CMO of Arxan. "Companies need to take each section separately and start addressing security issues for each. For example, have a security pen test to find out if end-point devices can be hijacked and exploited by hackers."

Taking over an existing IoT infrastructure? Know what you're getting into, says Jerry Irvine, CIO of Prescient. "All devices should be documented, along with the version of their firmware and applications. Once documented, each device's hardware, firmware, and applications should be reviewed to assure they are up-to-date, and to define all known vulnerabilities."

internet of insecure things 14
Thinkstock (Thinkstock)

Automation to the rescue

"Automation will be one of the keys to increasing efficiency," says Cody Cornell, CEO of Swimlane. "An automated incident response system can identify and resolve low-complexity, high-volume tasks with little to no human intervention, leaving expert security personnel with more time to handle the more nuanced and complicated issues. That's critical, not only because more devices will create more tasks, but because attacks are growing increasingly sophisticated." Many of the experts I spoke to said that a number of vendors are working on automation solutions specifically aimed processing the huge amounts of data generated by IoT devices so that they can monitored and secured.

internet of insecure things 15
Thinkstock (Thinkstock)

We can lay the groundwork

Despite much of the gloom and doom we've discussed, the truth is that we're at the dawn of the IoT age, and can still shape it in a more secure image. "While the IoT is still in its early stages, we have a chance to build in new approaches to security if we start preparing now," says Steve Durbin, managing director of the Information Security Forum. "Security teams should take the initiative to research security best practices to secure these emerging devices, and be prepared to update their security policies as even more interconnected devices make their way onto enterprise networks."

internet of insecure things 16
Thinkstock (Thinkstock)

Regulations are catching up

Regulations may eventually help tame the IoT Wild West. "As more regulators wake up to the potential chaos caused by insecure storage and processing of sensitive information, they will demand more transparency from organizations and impose even larger fines," says Durbin.

And that may apply to the consumer sector too. "I suspect you will see more involvement by the consumer protection regulatory agencies as they attempt to better protect individual buyers from inadvertent security or privacy risks," says Denim Group's Dickson. "Because so many IoT devices are manufactured in countries that have less stringent privacy protections than Europe or the US, look for more active involvement of regulatory agencies as stories about IoT hacking and privacy lapses stack up."

internet of insecure things 17
Thinkstock (Thinkstock)

The worst hasn't happened—yet

The big IoT-based hacks we've seen so far have been mostly in the service of DDoS attacks. "At this point, the most profitable use for these devices tends to be recruitment in a botnet, where the bandwidth and time can be sold to others," says Nathan Elendt, security analyst at Bishop Fox.

But IOActive's Miessler foresees a future where hackers exploit Server Side Request Forgery vulnerabilities and extract sensitive data from inside networks. "That requires tech stacks to standardize to the point that exploits can be chained together," he says, and that hasn't happened yet. Let's all get our houses in order before it does.