Hardik Modi, AVP Engineering, Threat and Mitigation Products at NETSCOUT, discusses the IOT
Many of us will remember using bulky desktop computers with dial-up Internet – what a world away that seems compared to today’s IoT landscape. Nowadays, we have mobiles, laptops and tablets all of which perform the same, and many more, functions as those old computers. We also have kettles, speakers, clocks and many other devices that are all connected to the Internet – there really has been an IoT revolution. The benefits of these advancements are vast and far-reaching, with no signs of slowing down and we can only imagine where technology will lead to next.
In the case of desktop computing, the evolution has occurred over the course of decades. These advancements have been eagerly anticipated and driven by vendors and users as better applications are developed. Added to this are the hardware advances fuelled by Moore’s law. Computing equipment has become widely adopted to the extent that in many cases it is now central to everyday life. This means that vast amounts of personal information are stored on these devices and this technology is now used to control multiple systems. Of course, vendors and users are not the only people who have been monitoring these advancements over the years – bad actors have also been watching. The attacks launched by these actors have come in many forms – malware, theft, spear-phishing, system hijack, email compromise – and have been launched on an enormous scale.
For the most part, these attacks have been against enterprises and individuals with access to computers and associated services. As we now enter into the IoT era, should we expect to see this pattern repeat itself? In fact, should we expect it to be worse as the scale of IoT devices is certainly larger than that of desktop computers?
Indeed, according to the following findings from the NETSCOUT Threat Intelligence Report for H2’2019:
- There has been a 57% increase in Mirai-based malware samples, targeting 17 separate system architectures and their associated operating systems – for example IP-connected video cameras, home routers and smart televisions
- These attacks are rapidly and continually published thereby allowing other popular malware families to incorporate them. For example, the ECHOBOT family was able to target a wide range of device families recently by using the 71 separate exploits at its disposal
- A key danger here is that the devices being targeted are infrequently patched, or not at all, which leaves them vulnerable to attack
- While this activity happens across the globe, adversaries often alter their activity to most successfully target the type of device most popular in any given region
In the case of desktop computing, protecting against exploitation has taken many forms – hardened operating systems, frequent updates, a vast array of antivirus solutions, and so on. Some of these advancements have been driven by the dominant players in the ecosystem. But for IoT this level of protection is significantly more complicated to implement. This is largely due to the fact that the IoT ecosystem is vast and involves many different players responsible for conception, development and maintenance of new devices and services. Therefore, the onus for fixes is harder to assign as the impact of threat activity can occur at a great distance from the original producer. The result of this is that there is reduced incentive for self-correction in the process which has dire consequences.
In fact, since 2016 there have been multiple ‘internet-threatening’ events, meaning that as a result of attacks involving IoT devices core infrastructure was affected. IoT devices have been used as stepping-stones in enterprise intrusion campaigns as well as in the theft of data from homes. At NETSCOUT we continually receive reports about vulnerabilities in foundational software, particularly the software that is widely deployed in IoT devices. The sheer scale of IoT devices presents a major problem because this vulnerable software is then used in many devices, all of which are connected to the Internet.
The IoT problem is clear, but how can these risks be reduced? Comparing this to the desktop revolution again sheds some light on the difficulty because back then it was possible to hold Microsoft accountable for Windows security, but who is accountable now?
A first step to increasing the security of these devices would be to change the architecture of how they are created so that secure access and updates, for example, are considered from the outset. At a service provider level, work needs to be done to ensure that outbreaks caused by abuse of devices, including novel vulnerabilities and attacks, can be contained. Upon purchasing these devices, the customers must be educated on their safe and proper use. Governments also have a responsibility to prevent the exploitation of the IoT ecosystem – it is up to them to clearly define the roles and responsibilities for each of the stakeholders in this ecosystem and to ensure that they are well understood. Only when all stakeholders are working together and accepting responsibility will change happen.
While working together, it is important that these stakeholders do not underestimate the intelligence of the adversary; just as they are working to improve the security of IoT devices, so too will the adversary be watching and adapting. ‘Perfect security’ cannot be achieved. This is not news though and every IT administrator is aware of the threats involving Microsoft Windows client systems in spite of the 15 years of work that has gone into improving the security of these devices. No matter how much work goes into improving devices, there will always be exploitable gaps. The challenges to the IoT system are not about to go away but, luckily, neither are those who work so hard to prevent these attacks.
