The Internet of Things – Immediate Challenges, Immediate Dangers

December 16, 2016 -

A Kroll Q&A for Board Members and Senior Executives

The recent distributed denial of service (DDoS) attack against an internet management company that disrupted connectivity for millions of users involved Internet-of-Things (IoT) devices — from cameras to DVRs to lightbulbs to routers – demonstrated in a dramatic way that our networks are far more vulnerable than we thought. The danger of a company’s devices being compromised to become part of a “zombie army” for attacking companies, organizations, or government agencies is very real. In this briefing, Kroll Cyber Security answers some key questions facing senior executives and board members.

Q: What is the Internet-of-Things?

The Internet-of-Things is the term used to describe devices that are connected to the internet or to a data network that are not primarily computers. Rather than laptops, desktops, servers, tablets, and the like, the IoT is made up of “smart” devices like light bulbs, routers, refrigerators, washers, dryers, cameras, baby monitors, door locks, and anything else that you can remotely operate from a mobile device. It also includes devices that were installed by others, like cable and fiber optic routers, set-top TV boxes, DVRs, and even smart TVs. Even cars are now being delivered with always-on internet connections. There are hundreds of millions of these devices, and by all estimates there will soon be billions – all connected to the internet.

Q: What’s the problem?

Unfortunately, it turns out that the manufacturers of these devices didn’t think too much about cyber security when they built them. In some cases, speed-to-market and lower cost seem to have been more important considerations. Hackers have learned how to take control of these devices located in homes and businesses and to remotely order the devices to attack specific internet addresses. By controlling and coordinating tens of thousands of devices, hackers can attack a victim with data arriving at 500-1,000 gigabytes per second, overwhelming the ability of the targeted servers to deal with them and ultimately making them fail.

Q: But doesn’t it take a real genius hacker to do that?

Not anymore. Some hackers release the computer code they’ve deployed, making it available to any cyber criminal, hacktivist, terrorist, or nation-state that wants to use it. For example, code called Mirai was released and deployed in October’s large-scale DDoS attack and has since been identified in additional IoT-based attacks.

Q: Can these devices compromise my company’s security?

It’s clear that hackers can take control of devices inside a corporate network. What’s still unknown is the extent to which criminals will be able to exploit that control. Certainly, devices could do far more than just attack other systems. For example, security researchers have demonstrated the ability to affect automobiles and to talk to children over their baby monitors. The FDA has issued warnings concerning several medical devices that could be hacked and harm a patient. It’s certainly possible that some devices could be exploited to gain further access to your network and your data.

Q: How can hackers take control of so many devices so quickly?

While analysis is ongoing, it appears that many of these devices have standardized passwords and user IDs. Where all devices of a certain kind use the same password, it’s easy to use a malicious program – like Mirai – to try known passwords and gain fast access. In some cases, the weak passwords were built into devices without a lot of thought. In other cases, third parties may have used shared passwords to make their remote maintenance activities easier.

One of the firms that manufactures some of the devices that were compromised in the Mirai-based attacks has issued an apology, with a promise to fix the problems. But some devices don’t come with documentation explaining how to change the password. Others don’t provide for software updates to their devices to close security holes. And even where documentation is available, many companies and users won’t recognize the danger and won’t take the needed actions.

Q: What should organizations do?

Key actions that should be taken immediately include:

  • Find out if IoT devices are connected to your network. This can usually be done through tools that list all attached devices. For a home network, if you can access your router, there should be a function to list connected devices. Don’t forget that employees, contractors, vendors, or even visitors may have added wired or wireless devices without official IT permission. If you can change the current passwords, it’s best to do so, although if you’re looking at a device installed by a vendor – like a router or security system – you should coordinate with them so that they can continue to service and operate those devices. For devices that don’t permit you to change passwords, you have to determine whether – at least in the short term – you should remove them from your network. Some analyses have shown when many devices are turned off and then re-started, the malware is gone – but in a lot of cases, re-infection can occur within 30 seconds.
  • Contact vendors who may have placed devices into your network (such as environmental sensors, security systems, and even smart TVs) and ask whether each device has a unique password. If not, ask them if the vendor can and will change it, and how that password is secured. If the vendor can’t or won’t comply with your request, you should consult with counsel and evaluate how to proceed.
  • Send a written communication to all employees explaining the danger of IoT devices. Further, ask that anyone who has attached one to a company wired or wireless network to remove it immediately and that they may not re-connect it unless and until authorized by IT. You should follow up by updating your information security standards and policies to prohibit any IoT device from being attached to a network without IT’s review and approval.
  • In purchasing, be aware that your organization may be buying IoT devices and not even know it. The simple rule has to be that if a device can connect to the network, it has to be approved before installation, with no exceptions.
  • At home, you should also find out what’s attached to your network. Check your router, and consult with your cable company or ISP for directions, if needed. Don’t be surprised if you find more than you thought about. Every smart TV and probably every cable set-top box and DVR will be listed. Security cameras may be there, along with all of the computers, tablets, and phones in your home. But if you see devices you don’t recognize, try to figure out what they are and whether they are too risky.

Q:Can terrorists use these IoT devices to cause widespread problems?

Unfortunately, until IoT devices have reasonable security, the danger is there. What if these devastating attacks were directed at a bank or credit card network or traffic control system? We’re just starting to understand the risks and the need to build security into these devices. The medical industry is focusing on this problem, and the automotive industry is working to make smart cars more secure. It will take time, so right now, you should be taking the time to protect yourself and your organization.