Last week, I attended the Inform[ED] Conference in Manhattan, New York, where some of the top experts in the cybersecurity, IT, and wireless tech industries assembled to shed their insight and exchange ideas on the current status and future of IoT security. One of the facts I’ve been reiterating is the amount of connected devices (20-50 billion) the world is projected to have by 2020. It’s an intimidating figure that cybercriminals will see as a paramount opportunity to wreak havoc, along with achieving personal and organizational goals.
With large-scale cyberattacks like the Mirai incident still fresh in our minds, experts are concerned about the quality and attention the aforementioned industries are paying to cybersecurity, and the consequences that could arise if this degree of negligence continues.
I was fortunate to speak with two industry experts—James Plouffe, Lead Solutions Architect, MobileIron, and Mitch Ashley, President and General Manager, Kyrio, who offered their insights on how IoT security is keeping up with the advancements of malware technology and hacking techniques, how cybercrime is evolving moving forward, common methods used by cybercriminals, and other pertinent topics.
WDD: In the race for innovation, how well would you say IoT security efforts are keeping up in combating the latest forms of malware and other infiltrative techniques used by hackers?
Plouffe: The race to innovation tends to make security more of a second-tier consideration. We’re seeing security frankly fall through the cracks. It’s not unheard of for software if you think about it. Any complex system is going to have bugs that will manifest themselves in ways that can be exploited for security purposes. The trick here is that everything is networked now. Doing something like establishing an attack vector is a much easier proposition now than it was before, and that’s more so what we’re seeing on this front nowadays.
Ashley: I think we’re early in the evolution of security and IoT. I would equate it to where enterprises were in the early 2000s when you first started seeing viruses, which sprung them (enterprises) into taking more action. We’re starting to see the same now with IoT, where with botnets being created out of security cameras and exploits happening in devices as a few examples. You start to see that same momentum building in IoT, and I think there’s an interesting dynamic at play, which is the device manufacturers having this dilemma. They’re (device manufacturers) just used to shipping the product. Usually once that product’s shipped it goes into the channel, sold in stores and they don’t really see it again.
Updating the software after the device has been shipped wasn’t necessarily part of the model for manufacturers. As you get into IoT, which has features like faster and stronger processors with more memory, security vulnerabilities are getting fixed. They (manufacturers) might want to offer new features, which requires an upgrade capability, so you start to develop a relationship as a manufacturer with the device into its lifecycle instead of shipping it into the channel without ever worrying about that particular product again. I think that’s a learning curve not just for the manufacturers but their channel, who maybe aren’t used to providing the services for products that now have smart capabilities.
WDD: What particular forms of malware concern security experts the most (DDoT, ransomware, etc.)? What makes this malware more dangerous than others?
Plouffe: What’s interesting about this is not all attacks actually hinge on malware nowadays. Certainly things like crypto-ransomware tend to affect users of work stations because of how all the files are encrypted. In the IoT world, you don’t see that as much because there’s not an operator sitting on the other side of the device that has to deal with those situations. You also see people making very basic mistakes about how they’re implementing certain features and what kind of code they’re writing, both of which you don’t necessarily need malware to exploit. Sometimes it’s a matter of using default passwords or leaving your telnet open. Simply put, you can actually be very successful in an attack without having to do a lot of heavy lifting.
Ashley: I categorize this particular topic into three areas. One is social engineering—the easiest attack vector, which is getting users to do something they don’t know is detrimental to them or their organization. Then there is creating malware with some specific gain like adding ransomware on your computer, which puts the hacker in a position to exploit yourself or your organization. The third is more of a highly complex breach, meaning it’s not just one attack vector, but also malware or social engineering as well. It’s a full stack of attacks and other breaches that happen over long periods of time that can compromise devices like PCs and headsets.
For example, you enable cameras and voice microphones to record, which you don’t necessarily use right away. They’re sort of a built up inventory or network of your own exploits—and then you layer on top of that some gain you’re trying to attack. That’s what I’m most concerned about because of the big detrimental effects an attack of this caliber could have. Even if it happens at a corporate level, these kinds of incidents largely happen on a case-by-case basis. When you start to layer impacts, you can have financial organizations, infrastructure, and on a personal level have that happen on some broader basis, which is where we can see something significant that can have an effect on the economy. That’s the scary thing to me and it’s complex.
WDD: Based on your personal experiences working in the cybersecurity field, what would you say are some of the most common motives behind modern cyberattacks?
Plouffe: I don’t think there’s a general trend when cybercriminals target computer systems. Reasons range from people launching these kinds of attacks solely for the notoriety, but you also see a lot more organized crime and nation state actors. What you really see with IoT is an opportunity for someone to reach a more important target. If an attacker can get into an IoT device and access the gadget’s network, where they go from there lies heavily on their motives. The attacker may not be interested in the IoT device itself but it gives the attacker a beachhead to move onto something that is more valuable. Using a house robbery as an example, if the burglar can’t enter through the front door, they’ll find another entranceway or window into the house. Once they’re in, the burglar will start tearing the place apart looking for jewelry and other valuables.
Ashley: They’re almost always driven by financial or nation state gain—some type of government or espionage type of activity. There’s also “bragging rights”—who the first person is to breach an autonomous vehicle, new kind of computerized interface, or whatever it might be. The overall majority of the exploits have financial gain behind them. That drives behavior like doing a phishing attack for example, and getting someone to provide credentials. Users don’t necessarily realize it’s not about attacking one device because they (attackers) will almost always go for the lowest-hanging fruit.
I think of security as flowing water. It’ll flow wherever gravity takes it and whatever the path of least resistance is. Those same paths are what hackers are going to take and that’s where hackers are going to go. Whether it’s you clicking on an email, responding to a survey, going to a site and giving up personal information. It’s very much a multistage lay-and-wait until you get to the gold. A good way to compare it is like being in an online multiplayer game...it’s not one thing you’re pursuing but a series you’re going after that lead up to some big payoff. You usually cover multiple paths to go after multiple rewards, which is what drive these motives.
WDD: What makes IoT devices easier (or harder) to infiltrate than conventional laptops or desktop computers?
Plouffe: I think like with so many different aspects in technology, the answer is: it depends. What’s important to remember is we say “Internet of Things” but it’s not a “thing;” it’s a little computer now that does something special. If you think about something like a Raspberry Pi, you can (for $30) get something with a quad core processor and a giga-memory. If you told me I could get something like that with those kind of specs for that price when I first started playing with computers, I’d relegate a device with those kinds of capabilities to the realm of science fiction. It’s also important to remember that while these IoT devices are generally lower powered than their desktop/laptop counterparts, they’re still quite powerful.
However, they may be easy to break into because they don’t have secure default configurations. There’s a botnet circulating now, for example, called the “breaker bot,” which opens telnet connections using brute force. Telnet is an old remote access protocol, everything passes in the clear. It’s one of those things that makes you ask yourself why people still use it, even though it’s 2017. As with anything though, if you’ve done your homework, made sure you’ve hardened the operating system and application, and you’ve written good application codes, there’s no reason these components can’t be secure. To reiterate, I do think that rush to market definitely works against that objective of securing those devices for sure.
Ashley: Every connected device is a new point of attack. It’s not about hacking the actual smart hairbrush, thermometer, or scale. It (the targeted IoT device) gives you more surface area to pick a point to enter. The sophistication of those devices, when you think about the computing power in a smart device, is not much by today’s standards compared to ten years ago. These devices serve as an entry point to reach another device or part of your home network. The other side of it is these IoT devices aren’t truly stable from a secure standpoint. Many of them use default IDs and passwords, which is the number one strategy hackers use to access devices. There are even databases online that display default IDs and passwords for IoT devices. All you need to do is scan IP addresses that match with these devices and it’s how you can enter them.
In the cable industry, we use PKI (public key infrastructure). Essentially, how it works is the network authenticates and verifies that a connecting device is what it is, preventing clones or hackers from entering networks posing as one, and is also used in the smart grid industry (like air conditioners, for example). Where it goes next is what we’ll use to identify the end user. When logging onto a service for the first time with IoT, we’ll use a certificate tied to that device and use every time to log in instead of a password and username. Aside from default user ID/password, this is the easiest thing to go to any device. Easiest way to hack is to get an end user to click on a link to attain personal information or use that link to deliver malware. A browser, smartphone, tablet, and laptop are the easiest ways to hack via email.
WDD: What are some of the common strategies and scenarios that lead cybersecurity experts to uncover new methods of hacking and IoT vulnerabilities?
Plouffe: A lot of experts find these flaws just by tinkering. It’s not so much you set out to find a vulnerability more than you’re just figuring out how the configuration works. In the course of taking the device or program apart, playing with it, looking at the logic, and maybe reverse-engineer some software, you look at some things and may say, “Well that doesn’t look quite right.” It could be something simple as just plugging in a new IoT device, doing a packet capture on my network to see what sort of communication it has, and noticing packets passing back and forth in clear text (like using “http” and not “https” for example).
Immediately I’m interested because I wonder what else I can find out next. There are a lot of different approaches when it comes to penetration testing and everybody has what they like to do best. I think if you were to paint in broad strokes, it definitely would be a matter of understanding how the device works, looking for things that seem weird to you like places where coding passes in the clear when it should be encrypted, etc. Those sorts of anomalies are always great starting points to be able to target those vulnerabilities.
Ashley: We do a lot of work with multiple manufacturers. IoT space and network communications equipment both go into the home and network. They utilize companies like Kyrio and CableLabs as a set of expertise to look at the entire industry. We look at trends happening and likely coming, which is fortunate because not everyone has that ability to have staff that can look ahead and anticipate oncoming issues and think about how to evolve their staff accordingly.
Our emphasis isn’t so much finding individual vulnerabilities as it is to find root causes that will help solve some of these problems and how we can work with network manufacturers and operators to mitigate these issues. It’s a unique role because we get to work with so many different people. We have a lot of device manufacturers come to Kyrio to get their devices certified for IoT and WiFi, giving us huge insight into the specifics of what happens by learning trends we see and improvements manufacturers can make, that we learn from working with similar clients and manufacturers they wouldn’t even think to make. This helps us too with raising the overall level of quality among industry members as well.