Dr. Mordechai Guri,Co-Founder and Chief Researcher
The frenzy surrounding all things IoT has quickly moved from unbridled excitement to dystopian warnings. From its potential to revolutionize the way we work and play, to visions of television sets turned spy and hijacked medical devices holding lives for ransom. With so much hyperbole, it can be difficult to cut through the noise to understand exactly where the problems lie in securing the IoT.
The Bigger They are, they Harder They Fall
Much has to do with the sheer scale of the attack surface. The current estimate for IoT devices is 6.4 billion, and Gartner predicts they will reach an installed base of 21 billion units by 2020, others predict even higher. These devices are ever-connected and ever-susceptible. The more connections that exist between our devices, and the more we transmit data across networks, the more opportunities for attack. Even when a device sits idle, it remains connected and therefore vulnerable.
Their power is ripe for the taking and cybercriminals are helping themselves to it. The Mirai botnet that powered the largest DDoS attack in history, taking down more than 80 major websites last October, consisted mainly of CCTV cameras and DVRs. And that was only the beginning. The latest bot-herding software, Persirai, borrows pieces of the Mirai source code yet is much more sophisticated. It targets more than 1,000 different IP camera models through a vulnerability in the Universal Plug and Play protocol. Unlike Mirai however, strong passwords offer no protection as it exploits a zero-day vulnerability that steals the password file. And after Persirai executes, the malware deletes itself and continues to run only in memory, making it difficult to discover other than by detecting traffic to the specific Command and Control servers used by the botnet.
The Diversity Challenge
With a problem of such magnitude, why arent we doing a better job of protecting IoT devices? When we look at the landscape of IoT security, we see mostly network level defenses: managing IoT security at the network level, detecting IoT attacks at the network level, and blocking IoT attacks at the network level. These are valuable but limited just as in the case of endpoint security, deep security requires software installed on the device itself.
However, there are almost no in-device security products for IoT devices. The current diversity of hardware, software and Oss poses a real challenge for developers of security products. IoT is actually a mixture of systems, composed of various types of CPUs and chipsets from different vendors. ARM-based platforms dominate the market, but Intel is pushing its own IoT platforms. And the various manufacturers of IoT development boards use their own hardware architecture, integrated circuits, processors and chipsets. The situation at the software level is even worse. There are about ten leading operating systems for IoT, as well as numerous others. For security vendors, developing and maintaining an IoT-wide security product is very challenging if not impossible.
One of the primary purposes of IoT technology is to collect information, both overtly and silently. IoT devices often send unencrypted information over unsecured ports. And many times, as in the case of the recent teddy bear data breach, stored in publicly accessible databases without any authentication required. They are designed to gather and transmit this data as quickly and cheaply as possible. This is at direct odds with information security but unlikely to change soon. Implementing secure or confidential communication protocols increases development cost, time to market, and manufacturing costs. Even manufacturers that are conscious of security issues might unknowingly embed insecure third party components into their products. Many of the webcams enlisted by the Mirai botnet utilized electronic components from the same manufacturer.
The Never Patched Problem
Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging. Apart from the difficulty in accessing devices, most do not have the memory and processing power needed to receive and perform the upgrade or patch. The online-update, instant-patch paradigm used in the modern OS is simply not yet feasible in the IoT world.
Its Not Just Things
Generally we think of the IoT as personal devices cameras, refrigerators, even cars. But much of our critical infrastructure utilities, hospitals, transportation systems, and all the other systems our communities and countries depend on is increasingly digitally controlled and connected. This industrial internet of things (IIoT) brings tremendous productivity and reliability gains: better alignment of supply and demand, predictive maintenance planning, predictive outage response, instantaneous sharing of vital data and more. In some cases, like health care, it can make the difference between life and death.
However, this hyper-connectivity has increased the cyber risk for our critical systems exponentially. The energy sector is particularly vulnerable. Coordinated cyberattacks on the Ukraine power grid left more than 230,000 customers without power. Hackers gained control of the Supervisory Control and Data Acquisition (SCADA) network that controlled the grid and proceeded to shut off approximately 60 substations. All because one employee fell for a phishing email. When we talk about IoT security, we need to look at the bigger picture.
IoT is at a critical juncture; its time to shuffle priorities and put security at the top. End users need to implement best-practice security controls and demand greater security built into the products they buy. Cybersecurity vendors need to think outside the box to develop new protection paradigms. Manufacturers need to step up, take responsibility and actively make their devices more secure. And legislators must put forth effective regulations to ensure it happens.
About the author
Dr. Mordechai Guri serves as Co-Founder and Chief Researcher at Morphisec, the leading developer of Moving Target Defense (MTD) cybersecurity products. Mordechai has more than 20 years of practical research experience. He is lead researcher and lab manager at the Ben Gurion Cyber Security Research Center and was awarded the prestigious IBM PhD International Fellowship (2015-2016). Guri manages academic research in various aspects of cybersecurity to the commercial and governmental sectors. Guri has led a number of breakthrough research projects in cybersecurity, focusing primarily on state-of-the-art challenges in the field of cyberattack and cyber defense. Mordechai examines current paradigms and develops new methods for improved mitigation of security problems in the modern cyber environment. His research topics include OS security, advanced malware, MTD, mobile security and embedded systems. Guri earned his Bsc and Msc, summa cum laude, from the computer science department at the Hebrew University of Jerusalem. Guri holds a Ph.D. from Ben Gurion University.