Non-Secure IoT Devices Are Powerful Weapons

The Institute for Critical Infrastructure Technology (ICIT), a cyber-security think tank, has published a new paper in which it argued that future IoT devices need to be secure-by-design and that there should be some regulation setting minimum security standards, too.

Failing that, the group warned that non-secure IoT devices or devices that have backdoors could be transformed into powerful weapons that rival nations could wield against each other.

Mirai, The Beginning of Massive DDoS Attacks

Since the open source Mirai botnet software was published on the Internet, we’ve started to see some powerful distributed denial of service (DDoS) attacks that can take down major websites or at least cause severe disruption to their service.

The attacks were mainly enabled by non-secure Internet of Things (IoT) devices, which are often not designed with security in mind and even come with backdoors or hardcoded credentials. This allows attackers to discover easy entrance into millions of devices and take them over.

However, despite all of this, many experts seem to agree that Mirai is only the beginning. As billions of IoT devices are predicted to come online over the next decade, we could see attacks that are orders of magnitude more powerful.

At that point, the non-secure or back-doored IoT devices are not just a threat to a handful of large companies or organisations, but to entire nation states. Massive DDoS attacks could be used to shut down critical infrastructure and cause chaos.

Rise of the Machines: The Dyn Attack Was Just a Practice Run

In the report called  “Rise of the Machines: The Dyn Attack Was Just a Practice Run”, which was written by James Scott and Drew Spaniel, both of whom are members of ICIT,  the authors warned that in the future it’s possible that China or other states could weaponise non-secure or back-doored IoT devices and then use them against rivals.

If that’s the case, and it at least looks like we’re heading in that direction, then the governments of all countries need to realize that non-secure IoT devices, or devices that ship pre-back-doored and can later be exploited by anyone, represent a serious national security risk.

Making IoT Devices "Secure-By-Design"

Throughout most of the paper, the authors argued for IoT devices that employ “security-by-design.” What that means is that manufacturers will have to ensure that their IoT devices are developed with security-first thinking.

All code will need to be written in a way that won’t cause too many security vulnerabilities later on, and multiple anti-exploit protections will have to be deployed. Both of which should end up saving the manufacturers some money with patching the systems, or even with recalls or lawsuits.

The ICIT authors said that right now, neither the buyers nor the sellers of IoT devices feel any responsibility for the damage their devices cause when they are taken over by botnets due to poor security. The buyers don’t care because DDoS attacks don’t impact their devices in a major way, and the sellers have simply moved on to selling a new version of their product, instead of investing in patching the older one.

Bruce Schneier, a well-known security expert, has recently argued that the non-security of IoT devices should be seen as invisible pollution that affects everyone. Therefore, just like with pollution, the only solution is some kind of government regulations on companies polluting the environment.

The ICIT authors also share Schneier’s view that governments should impose some minimum security standards on IoT manufacturers, along with liabilities in case something goes wrong. Companies affected by DDoS attacks from non-secure IoT devices should also be able to sue the makers of those devices.

The authors also said that regulation should be done responsibly so as not to hinder innovation too much. They suggested following security standards similar to those in other industries, such as the healthcare industry, as well as following security best practices such as the ones promoted by the NIST or other relevant agencies.

Back-doors should also be avoided at all costs. The authors said that whatever good may be achieved through them is outweighed by orders of magnitude by the potential of a nation state one day being able to use those same back-doors to attack and cripple national infrastructure of various critical services.

In the meantime, back-doors will also be discovered and used by many other “bad guys” for their own malicious purposes.

TomsHardware:          Rise Of The Machines:    

 

« Stolen Health Records Flooding Dark Web Markets
Protecting Employees From Data Breaches »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Homeland Security Investigations (HSI)

Homeland Security Investigations (HSI)

Homeland Security Investigations (HSI) is a premier federal law enforcement agency within the Department of Homeland Security (DHS).

e-Governance Academy (eGA)

e-Governance Academy (eGA)

eGA is a think tank and consultancy founded for the transfer of knowledge and best practice in e-governance, e-democracy and national cyber security.

Datec PNG

Datec PNG

Datec is the the largest end-to-end information and communications technology solutions and services provider in Papua New Guinea.

Cyber Security Academy (CSA)

Cyber Security Academy (CSA)

The CSA aims to educate professionals who wish to contribute to strengthening the digital defensibility of states, organisations and individual citizens.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Blockchain Solutions

Blockchain Solutions

Blockchain Solutions Limited is a technological One Stop Solution provider, for Blockchain technology.

Kindus

Kindus

Kindus is an IT security, assurance and cyber security risk management consultancy.

SyncDog

SyncDog

SyncDog is a leader in enterprise security and the preeminent vendor for containerized mobile application security across cloud & on-premise computing environments.

CAPSLOCK

CAPSLOCK

CAPSLOCK delivers career-changing cyber training to help adults re-skill. Learn online to become a cyber security professional and pay no tuition until you land a high-paying job.

Cloud Range

Cloud Range

Cloud Range provides cybersecurity teams with access to the world's leading cyber range platform, eliminating the need to invest in costly cyber range infrastructure.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Everfox

Everfox

Everfox (formerly Forcepoint Federal) has been defending the world's most critical data and networks against the most complex cyber threats imaginable for more than 25 years.

Softanics

Softanics

Softanics’ ArmDot protects .NET apps with advanced obfuscation, control flow protection, and virtualization, securing code against reverse engineering without requiring agents or environment changes.

Cloud Native Computing Foundation (CNCF)

Cloud Native Computing Foundation (CNCF)

CNCF seeks to drive adoption of cloud native technologies by fostering and sustaining an ecosystem of open source, vendor-neutral projects.

Cyber Brain Academy

Cyber Brain Academy

At Cyber Brain Academy, our mission is to provide high-quality IT certification training for the cyber security workforce.