In AllienVault’s survey of RSA 2017 attendees, 62% expected cloud security to worsen as more IoT devices and services get added to enterprise clouds.

Again in Aruba’s (a Hewlett Packard Enterprise company) 2017 Enterprise IOT adoption report, while adoption rates appear bullish, 84% of enterprises who already adopted IOT reported having faced security breaches.

49% dealt with malware, 38% with spyware, 30% experienced phishing, and 26% suffered from a DDoS attack.

Interestingly (and quite shockingly) most of these attacks involves devices which are NOT managed by Enterprise IT.

Unmanaged IoT devices (think of home routers, IP cameras and DVRs) are the common and easy targets in today’s Internet to launch cyberattacks.

Plugging the security loophole

Enterprise IoT adopters may have the money to invest on firewalls and security scanners. And there are vendors like Checkpoint, Wurldtech etc. rolling out security solutions for the Industrial Internet.

But they have very little control when the attacks involve low-end IOT “things” which are unmanaged… where the price point simply doesn’t warrant much attention or security investments.

To harness insights on this snowballing IoT threat, The IoT Review interviewed with a long-time Internet expert and IETF co-chair Bob Hinden, who is now a Fellow at Checkpoint.

In this article we’ll go over some of the takeaways of our conversation with Bob Hinden.

Monetizing cyber attacks with IoT

These days cyber-attacks are more organized (often government sponsored), more sophisticated and monetized.

In the IoT empowered Internet, Ransomware and Denial of Service attacks are trending fast.

In ransomware, ‘paid’ business entities infect and encrypt your data & network infrastructures with ransomware malwares. Only escape route is to pay to unlock your data.

Hinden observes “While DDoS attacks are not new, the fact those come from so called IOT devices is a new and growing trend. This brings attacks to a whole new level which we haven’t seen before. I am trying to look at this more as the Internet of Insecure Things.”

In Review: Denial of Service (DDoS) attacks using IoT

Last September, Brian Krebs in his “KrebsOnSecurity” blog mentioned about a DDoS-for-hire vendor vDOS, which reportedly made $600,000 in two years by knocking sites offline (talk about newer business models!).

Soon after the publication Krebs’ blogging site was attacked with 620 Gigabit per second of traffic. The attack was sourced from a network of IOT devices (known as IOT Botnets) such as home routers, IP cameras, DVRs etc. running with default password.

A very similar attack followed in October 2016 when OVH was attacked by an IOT botnet with 150,000 nodes injecting 1 Terabit per second of traffic.

Within weeks on October 24^th DNS provider Dyn was attacked with 1.2 Terabits per second of traffic using IOT Botnet. Dyn’s outage caused much grief as Twitter, Facebook, Amazon etc. use Dyn’s service and the attack affected millions of users.

“There’s no reason to think this is going to stop. We don’t know how to stop this yet” warns Hinden.

What does this mean to Industrial IOT Security – where many operational devices like machines, controllers and critical infrastructure are being connected to the internet?

“We have got much better over the years in securing critical infrastructure by keeping track of attacks and vulnerabilities much like we do for operating systems.” says Hinden.

There are many Industrial Internet vendors who are building new security gear to protect industrial systems and critical infrastructure.

But not much has been done to secure unmanaged devices in homes and small scale deployments. No one installs an IOT gateway for a small $50 camera. So that’s an exposure.

Why IoT “Things” are a cyber-threat?

Recent cyber-attacks using IoT Botnet exploited very simple vulnerabilities like default username and passwords.

In enterprises, the IT department owns the responsibility to put security practices in place.

But when $50-$100 IoT “things” are installed in homes and businesses, the price point doesn’t warrant sufficient attention to implement even rudimentary security policies like prohibiting default or well-known passwords, installing regular software updates, plugging back-doors etc.

These devices are very different from that point of view. The lessons we have learned & applied to conventional internet gears just hasn’t been applied to these devices.

Stashing responsibility in a complex supply chain

Another big problem is who owns the responsibility to secure these devices.

When an IP camera gets added to IOT Botnet, the owner of that camera is not even aware. Neither does the camera manufacturer.

The consumer typically do not buy these directly from the manufacturer.

In case of a PC or a mac, the consumer is aware of who made the hardware and has a way to receive regular upgrades and support.

Even modern cars vendors like Tesla offer “over-the-air” software upgrades.

But in case of these IOT “things”, the supply chain becomes quite complicated. These products reach consumers through one or more retail channels. The consumer has very little visibility and support relationship with the vendors.

While open standards bodies like the IETF can define protocols and best practices on securing IOT, the solution demands more than standards.

Government for any particular country can’t stop this either. The Internet being “borderless”, even if you secure devices manufactured in one country, devices in other countries can be hacked to launch attacks.

Is there a way out of this danger?

Technically it’s not very hard to secure these IOT devices. Just follow few well-known dos and don’ts:

• Do allow regular software updates
• Don’t allow default or well-known passwords
• Don’t allow fixed access

No one writes 100% perfect software from a security standpoint but we know how to address software vulnerabilities using patches… this is a common practice for PC, Macs, and mobile devices.

But the economics of a PC or a car that costs several hundred dollars is very different from a $100 camera. Their low profit margins simply doesn’t make similar investments on security compelling.

Introducing liability

One viable option is to build in some liability into the supply chain.

“Consumers being liable is not practical. And it’s hard to get to the manufacturer directly. The idea that I have been having lately is to make the retailers who sell these devices to have liability, since they deal directly with both the consumer and the manufacturer.” Hinden noted. “In case of supply chain involving many vendors for a product, retailers like Amazon (as the narrow neck in an hour glass) can enforce certain security compliance for each of the product vendors.”

In context of large scale industrial deployments there are many devices which remains unmanaged. Imposing liability and compliance policies in industrial procurement can address this.

Incentives and innovations

For a secured connected world, all connected devices must be secure.

We should have incentives for developers, manufacturers, and retailers to add better security in the devices.

Although we have an increasing number of low-end “insecure things” already deployed (which no one is going to turn off), the only option is to do a better job in making new products secure through incentives, innovations and liability.

DDoS attacks aren’t new but scale of these attacks are new and worrisome. Hinden warns “You can harness large number of unmanaged devices and do whatever you want.”

While it’s encouraging to see the increased focus to secure IOT in industrial and enterprise sectors, unless we do something about the low-end “insecure things” IOT will continue to remain insecure.