Using very old and simple techniques such as brute force attacks, cybercriminals are gaining control over a population of insecure internet of things (IoT) devices with arsenals of malware.
Brian Krebs’ website was recently targeted in the largest ever distributed denial-of-service (DDoS) attack. The source code that powered the IoT botnet responsible for the attack was targeted by a malware dubbed Mirai. It was spread over thousands of vulnerable devices by continuously scanning the internet for IoT devices protected by default credentials used in dozens of products such as routers, security cameras, printers and digital video recorder devices.
Researchers have identified more than five million vulnerable IoT devices that could easily be penetrated by Mirai.
The source code now is publicly released and available for anyone to use. Soon it could be used to initiate an attack against corporations, and while those organizations investigate a never-before-seen volume of network traffic, attackers could successfully evade enterprise defense systems to gain access to the enterprises' crown jewels.
In addition, while analyzing the Mirai malware researchers discovered what they believe is a new IoT malware that behaves like Mirai. The malware is named “Hajime” and is capable of scanning the internet in search of devices running the telnet service and can attempt to access them using a predefined list of common credentials. Based on the attack attempts recorded by the honeypots, it is believed that the malware has infected up to 185,000 IoT devices.
In a recent survey, Forescount asked responders how confident they are knowing that there are IoT devices connected to their network that cybercriminals can use as a gateway? Eighty-five percent were not confident that they know all the devices on their network while only 15 percent were confident. With respect to securing IoT devices, only 44 percent of respondents had known about a security policy for IoT devices.
Enterprises need a strategy to secure IoT devices.
It’s a game changing time for enterprises to put in place a framework to secure IoT devices and invest in building capabilities, skills and technologies around protecting and securing IoT devices. At the same time manufacturers, industry and organizations need to work together to develop IoT security solutions. Security concerns of this fast-growing ecosystem is going to require long-term and short-term solutions. IoT devices configured with known credentials or default credential issues need to be addressed immediately — not dealing with them will only make the problem grow larger and complex.
What makes the IoT ecosystem more challenging then the PCs that an organization has been managing?
It is an understatement to say that managing IoT is far more complex than managing the workstations in a small-to-midsize organization. Organizations today struggle to keep 10,000 workstations up to date with required security patches. Imagine how difficult and challenging it would be to manage 10,000 IoT devices that are not used by a human being for day-to-day operations but are controlled by another set of devices or machines designed to perform a specific task.
Gartner reports that 6.4 billion connected devices will be in use in 2016, up 30 percent from 2015, and 5.5 million new devices get connected every day — totaling 20.8 billion connected devices by 2020. Cisco's and Intel's projections are more optimistic and claim that there will be 50 billion IoT devices by 2020 and 200 billion IoT connected devices in use by 2020 respectively.
[ MORE ON CSO: Security and the Internet of Things – are we repeating history? ]
Some of the potential IoT security risk prevention methods that can be considered as short-term solutions are:
- Approach IoT device security holistically enterprise wide.
- Discover and create inventory of devices, including what, where, why, who manages it, etc.
- Segregate the IoT device traffic vs. other network devices.
- Educate IT teams around provisioning any new device into the network and do not plug in any device before going through a security checklist.
- Regularly audit the network to make sure every IoT device is added to the inventory list and there is some kind of monitoring in place, and responding to the security events that get generated from them.
This article is published as part of the IDG Contributor Network. Want to Join?