I recently attended a cybersecurity conference in Australia and it was amazing to me just how polemic Internet of Things (IoT) and Operational Technology (OT) is right now. When I spoke to people there, I came across two different views: firstly the ‘World Economic Forum view’, which is that IoT and OT technologies are the fourth industrial revolution that will dramatically redefined industries and produce huge productivity gains; and secondly the ‘Security view’, that questions why we are connecting so many things to the internet, that will make us so drastically insecure.
I tend to take a more pragmatic view, in that when you increase network connectivity, you increase the attack surface and risk, but the network can also provide the resources to manage that risk.
We saw this with windows machines like Microsoft in the ‘90s, when they started to get connected to Local Area Networks (LANs) without the appropriate security features and resources in place.
We then had several years of massive worm outbreaks, until we figured out how to build patching servers, get patches rapidly deployed, push security policies to desktops and reduce our level of trust in the local network.
We’re now at a similar time with IoT, where today in the device world, we don’t have the security and management ecosystem that we have in other areas.
If you look at the Mirai botnet in late 2016 and early 2017, it was a combination of many different factors: devices running as miniature Linux servers, using the same operating system password and with remote login services enabled; Universal Plug and Play (uPnP) and its Simple Service Discovery Protocol (SSDP), enabled by default on home routers to open firewall holes to allow device services to be accessed over the Internet; and ISPs that don’t block network connections going to their broadband users.
These are all vulnerabilities that we learned how to protect against many years ago, so why were they still present? We need to take a look at IoT security as an ecosystem. There are four different parties involved and right now it’s a sort of ‘the tragedy of the commons’, where individuals think that someone else is responsible for the IoT problem.
The most significant party to look at is the device manufacturers. Manufacturers have the responsibility to build devices that are safe to connect to the network and that means operating system (OS) and application hardening, and automatic updates. While there some standards for devices, because of the wildly diverse nature of IoT devices — from sensors to cameras to home network storage — you need to build device-to-device standards.
There’s also a fundamental problem where today many consumer devices are built in Asia for $2 apiece and sold for $20. You can’t expect a lot of expert engineering with $2, and for them to support that device with patches and certify their device as secure, if it takes an additional six months of lab time and $150k. Some of these devices will be in operation for ten years, where the normal IT device might last three-to-five years before it’s replaced.
The next party to look at is the consumer and end-user. This might also include the company that buys and uses IoT devices. There’s a lot of focus in the press about all the things that enterprises and home users can do to protect themselves and make their device secure, like network segregation, disabling UPnP/SSDP, changing device passwords and applying firmware updates. That’s all great, but most of the time consumers don’t have access to the OS or even have the ability to tell if the device is secure- if it sits on the shelf and blinks, does that make it secure?
According to the common practices of the Internet, Internet Service Providers (ISPs) are the party responsible for traffic coming from their network. This includes IoT devices that have “gone rogue”. Some of the IoT attacks are a hygiene issue and ISPs are in position to be impacted by the attacks.
However, right now ISPs respond to complaints on a very slow, reactive model. They don’t have enough staff resources to clean up all the devices and the information flow isn’t timely enough to block attacks as they happen. In order to get this clean-up scaled to meet demand, ISPs need real-time automated reporting of abuse and to feed that into a semi-automated response system to block the attack at the subscriber’s level.
Lastly, the organisations that receive these attacks. Both established and small-to-medium (SMBs) organisations have a role to play in identifying devices that are attacking them and closing the feedback loop to manufacturers, consumers and ISPs.
When Akamai first saw Mirai, we looked at the sources of the traffic and kept seeing IP-connected cameras. If you look at enough attack sources, you can see the model and manufacturer of the compromised device and where the devices are on the network and can relay that information back to the manufacturer. But this relies on organisations actively reporting devices that have gone rogue and the manufacturer being part of the larger community and connected to incident responders.
Our most recent data in Australia revealed a sharp increase in local botnet members and the near tripling of malicious IP addresses participating in attacks against Australian web sites since December 2016. As these attacks continue to increase in size and frequency, it will take collective action from the entire IoT ecosystem — manufacturers, ISPs, consumers and organisations — to reduce device vulnerabilities and defend against malicious actors.
Michael Smith is the security chief technology officer Asia Pacific & Japan at Akamai