The US Federal Bureau of Investigation (FBI) has issued another of its periodic ‘Public Service Announcements’. However ‘Alert I-080218-PSA’ does not refer to any of America’s most wanted criminals but is instead a dire warning of the perils and pitfalls of the Internet of Things (IoT).
The announcement “Cyber actors use Internet of Things devices as proxies for anonymity and pursuit of malicious cyber activities” points up and reinforces what many actors in the global comms industry (including TelecomTV) have been saying for a very long time now – that the IoT is essentially, inherently chronically insecure and wide open to potentially devastating cyber attacks that could have far-reaching national and even international consequences for vital networks and systems. Now that the G-Men are on the case perhaps the sector will start to pay meaningful attention to the dangers.
The FBI Alert says, “Cyber actors actively search for and compromise vulnerable Internet of Things devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation. IoT devices, sometimes referred to as “smart” devices, are devices that communicate with the Internet to send or receive data. Examples of targeted IoT devices include: routers, wireless radios links, time clocks, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices.” And there you have it in a nutshell.
As the warning makes explicitly clear, “IoT proxy servers are attractive to malicious cyber actors because they provide a layer of anonymity by transmitting all Internet requests through the victim device’s IP address. Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.”
The greater the use, the greater the threat
Cyber criminals are using compromised IoT devices as proxies to, among other nefarious illegal activities, send spam e-mails, maintain anonymity, obfuscate network traffic, monitor and take over Internet browsing, generate click-fraud activities, buy, sell, and trade illegal images and goods, conduct credential stuffing attacks (where cyber crooks use an automated script to test stolen passwords from other data breach incidents on unrelated web-sites), and sell or lease IoT botnets to other cyber criminals for financial gain. It’s serious stuff.
The FBI adds that cyber crooks typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities. And if that doesn’t work they also originate and apply brute force attacks on devices with default usernames and passwords.
The Alert tells readers that it can be very difficult to detect when IoT devices have been compromised but provides a useful list of possible indicators that can help show when devices or a network has been breached and compromised. These include examples such as a major spike in monthly Internet usage, a larger than usual Internet bill or devices slowing down or becoming inoperable and unusual outgoing Domain Name Service queries and outgoing traffic.
The G-Men also provide a list of actions that should be taken to help ensure the protection and defence of IoT devices and networks. Among them are regularly to reboot devices because most malware is stored in memory and is therefore removed when a device is rebooted, the use of good quality, robust anti-virus software and ensure that it is always up to date and also to ensure that all IoT devices are similarly up to date and all security patches are incorporated. It is also vital to change default usernames and passwords. That might seem obvious advice but it is astonishing how complacent and just downright lazy network administrators can become – until the sky falls on them.
The Alert also recommends that network firewalls be configured to block traffic from unauthorised IP addresses and that port forwarding be disabled. Furthermore, IoT devices should be totally isolated from all other network connections.
Insecure IoT. A disaster waiting to happen
It is generally accepted that sometime, somewhere, a huge and devastating cyber attack on IoT systems and networks will happen. Amongst the nightmare scenarios are assaults that could compromise the safety of nuclear power stations, force the collapse of national infrastructures such electricity, gas, water and hydrocarbon fuel networks and attacks on banking networks and financial systems.
So serious is the situation that research house IDC reports that the cybersecurity and physical safety concerns associated with IoT devices will force Global 2000 companies to increase IoT security spending 25 per cent by over the next two years. Meanwhile, a report from another research company, Forrester, finds that spending on global cloud security solutions will reach US$3.5 billion by 202. That’s an annual growth rate of 28 per cent.
As Kayne McGladrey, the Director of Information Security Services at Integral Partners, the cyber security, access and identity management specialist company headquartered in Boulder, Colorado, says, “IoT security remains one of the most challenging security vulnerabilities to businesses and consumers. The Mirai and Reaper botnets are results of threat actors leveraging poor security controls on IoT devices, building attack infrastructure out of those devices, and using that stolen infrastructure to attack organinations. Companies and organisations purchasing IoT/IIoT devices should treat them the same as any other endpoint device connecting to the corporate network.”
Meanwhile, Edward Featherston, Principal Architect at Cloud Technology Partners, says, “While all three present security challenges and risks to the business, IoT has the largest potential of security vulnerability risk. Security teams need to fully understand the limits and risks associated with the increased attack surface of these devices, and work with vendors on service level agreements to ensure the security levels organisations need are being met.”
One of the biggest IoT risks is the is the pronounced lack of security in the devices that manufacturers dispatch to their customers. All too frequently IoT devices are shipped with little to no security in their default settings. It is a basic and evident vulnerability but little seems to be being done about it. IoT is still in its infancy and manufacturers need to develop and agree on common industry standards and provide devices and systems with the highest levels of security already built-in – or the lusty infant will grow to be a sickly and short-lived child. – Telecom TV