Fri, Dec 16, 2016
The recent distributed denial of service (DDoS) attackagainst an internet management company that disrupted connectivity for millions of users involved Internet-of-Things (IoT) devices — from cameras to DVRs to lightbulbs to routers – demonstrated in a dramatic way that our networks are far more vulnerable than we thought. The danger of a company’s devices being compromised to become part of a “zombie army” for attacking companies, organizations, or government agencies is very real. In this briefing, Kroll Cyber Security answers some key questions facing senior executives and board members.
Q: What Is the Internet-of-things?
The Internet-of-Things is the term used to describe devices that are connected to the internet or to a data network that are not primarily computers. Rather than laptops, desktops, servers, tablets, and the like, the IoT is made up of “smart” devices like light bulbs, routers, refrigerators, washers, dryers, cameras, baby monitors, door locks, and anything else that you can remotely operate from a mobile device. It also includes devices that were installed by others, like cable and fiber optic routers, set-top TV boxes, DVRs, and even smart TVs. Even cars are now being delivered with always-on internet connections. There are hundreds of millions of these devices, and by all estimates there will soon be billions – all connected to the internet.
Q: What’s the Problem?
Unfortunately, it turns out that the manufacturers of these devices didn’t think too much about cyber security when they built them. In some cases, speed-to-market and lower cost seem to have been more important considerations. Hackers have learned how to take control of these devices located in homes and businesses and to remotely order the devices to attack specific internet addresses. By controlling and coordinating tens of thousands of devices, hackers can attack a victim with data arriving at 500-1,000 gigabytes per second, overwhelming the ability of the targeted servers to deal with them and ultimately making them fail.
Q: But Doesn’t It Take a Real Genius Hacker to Do That?
Not anymore. Some hackers release the computer code they’ve deployed, making it available to any cyber criminal, hacktivist, terrorist, or nation-state that wants to use it. For example, code called Mirai was released and deployed in October’s large-scale DDoS attack and has since been identified in additional IoT-based attacks.
Q: Can These Devices Compromise My Company’s Security?
It’s clear that hackers can take control of devices inside a corporate network. What’s still unknown is the extent to which criminals will be able to exploit that control. Certainly, devices could do far more than just attack other systems. For example, security researchers have demonstrated the ability to affect automobiles and to talk to children over their baby monitors. The FDA has issued warnings concerning several medical devices that could be hacked and harm a patient. It’s certainly possible that some devices could be exploited to gain further access to your network and your data.
Q: How Can Hackers Take Control of So Many Devices So Quickly?
While analysis is ongoing, it appears that many of these devices have standardized passwords and user IDs. Where all devices of a certain kind use the same password, it’s easy to use a malicious program – like Mirai – to try known passwords and gain fast access. In some cases, the weak passwords were built into devices without a lot of thought. In other cases, third parties may have used shared passwords to make their remote maintenance activities easier.
One of the firms that manufactures some of the devices that were compromised in the Mirai-based attacks has issued an apology, with a promise to fix the problems. But some devices don’t come with documentation explaining how to change the password. Others don’t provide for software updates to their devices to close security holes. And even where documentation is available, many companies and users won’t recognize the danger and won’t take the needed actions.
Q: What Should Organizations Do?
Key actions that should be taken immediately include:
Q:Can Terrorists Use These IOT Devices to Cause Widespread Problems?
Unfortunately, until IoT devices have reasonable security, the danger is there. What if these devastating attacks were directed at a bank or credit card network or traffic control system? We’re just starting to understand the risks and the need to build security into these devices. The medical industry is focusing on this problem, and the automotive industry is working to make smart cars more secure. It will take time, so right now, you should be taking the time to protect yourself and your organization.
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.