Non-Secure IoT Devices Are Powerful Weapons

Uploaded on 2017-02-14 in TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY-Key Areas-Internet of Things

The Institute for Critical Infrastructure Technology (ICIT), a cyber-security think tank, has published a new paper in which it argued that future IoT devices need to be secure-by-design and that there should be some regulation setting minimum security standards, too.

Failing that, the group warned that non-secure IoT devices or devices that have backdoors could be transformed into powerful weapons that rival nations could wield against each other.

Mirai, The Beginning of Massive DDoS Attacks

Since the open source Mirai botnet software was published on the Internet, we’ve started to see some powerful distributed denial of service (DDoS) attacks that can take down major websites or at least cause severe disruption to their service.

The attacks were mainly enabled by non-secure Internet of Things (IoT) devices, which are often not designed with security in mind and even come with backdoors or hardcoded credentials. This allows attackers to discover easy entrance into millions of devices and take them over.

However, despite all of this, many experts seem to agree that Mirai is only the beginning. As billions of IoT devices are predicted to come online over the next decade, we could see attacks that are orders of magnitude more powerful.

At that point, the non-secure or back-doored IoT devices are not just a threat to a handful of large companies or organisations, but to entire nation states. Massive DDoS attacks could be used to shut down critical infrastructure and cause chaos.

Rise of the Machines: The Dyn Attack Was Just a Practice Run

In the report called  “Rise of the Machines: The Dyn Attack Was Just a Practice Run”, which was written by James Scott and Drew Spaniel, both of whom are members of ICIT,  the authors warned that in the future it’s possible that China or other states could weaponise non-secure or back-doored IoT devices and then use them against rivals.

If that’s the case, and it at least looks like we’re heading in that direction, then the governments of all countries need to realize that non-secure IoT devices, or devices that ship pre-back-doored and can later be exploited by anyone, represent a serious national security risk.

Making IoT Devices "Secure-By-Design"

Throughout most of the paper, the authors argued for IoT devices that employ “security-by-design.” What that means is that manufacturers will have to ensure that their IoT devices are developed with security-first thinking.

All code will need to be written in a way that won’t cause too many security vulnerabilities later on, and multiple anti-exploit protections will have to be deployed. Both of which should end up saving the manufacturers some money with patching the systems, or even with recalls or lawsuits.

The ICIT authors said that right now, neither the buyers nor the sellers of IoT devices feel any responsibility for the damage their devices cause when they are taken over by botnets due to poor security. The buyers don’t care because DDoS attacks don’t impact their devices in a major way, and the sellers have simply moved on to selling a new version of their product, instead of investing in patching the older one.

Bruce Schneier, a well-known security expert, has recently argued that the non-security of IoT devices should be seen as invisible pollution that affects everyone. Therefore, just like with pollution, the only solution is some kind of government regulations on companies polluting the environment.

The ICIT authors also share Schneier’s view that governments should impose some minimum security standards on IoT manufacturers, along with liabilities in case something goes wrong. Companies affected by DDoS attacks from non-secure IoT devices should also be able to sue the makers of those devices.

The authors also said that regulation should be done responsibly so as not to hinder innovation too much. They suggested following security standards similar to those in other industries, such as the healthcare industry, as well as following security best practices such as the ones promoted by the NIST or other relevant agencies.

Back-doors should also be avoided at all costs. The authors said that whatever good may be achieved through them is outweighed by orders of magnitude by the potential of a nation state one day being able to use those same back-doors to attack and cripple national infrastructure of various critical services.

In the meantime, back-doors will also be discovered and used by many other “bad guys” for their own malicious purposes.

TomsHardware:          Rise Of The Machines:    

 

« Stolen Health Records Flooding Dark Web Markets
Protecting Employees From Data Breaches »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Prosperon Networks

Prosperon Networks

Prosperon Networks support SMB to Enterprise networks through the provisioning of network monitoring software, customisation, consultancy and installation.

DoSarrest Internet Security Ltd

DoSarrest Internet Security Ltd

DOSarrest is a fully managed security firm specializing in cloud based DDoS protection services to a worldwide client base.

GovCERT.CZ

GovCERT.CZ

GovCERT.CZ is the Government Computer Emergency Response Team of the Czech Republic.

European Business Reliance Centre (EBRC)

European Business Reliance Centre (EBRC)

EBRC is a leader in integrated Data Center, Cloud and Managed Services and a Centre of Excellence in Europe in the Management of Sensitive Information.

PETRAS IoT Hub

PETRAS IoT Hub

PETRAS is a consortium of 12 research institutions and the world’s largest socio-technical research centre focused on the future implementation of the IoT.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

ODSC

ODSC

ODSC is a security systems integrator that provides services and expertise in identity management and access.

BlackScore

BlackScore

BlackScore is a technology company seeking to disrupt risk assessment using AI-driven technology.

SafeTech Informatics & Consulting

SafeTech Informatics & Consulting

Safetech's OTShield detects, prevents and analyses cyber-attacks in SCADA and Industrial IoT systems by utilising state of the art deception techniques.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

CyberGate Technologies

CyberGate Technologies

CyberGate Technologies is a world-class, customer focus cyber security service and consultancy company operating the UK, Europe, Middle East, and Africa.

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions (ICSS)

Indian Cyber Security Solutions is an Enterprise Cyber Security Platforms company offering Cyber Security & Technical Education and Compliance & Penetration Testing Services.

eMudhra

eMudhra

eMudhra is a leader in Identity and Transaction Management Solutions.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Trofi Security

Trofi Security

Trofi Security provides Information Technology and Information Security services to organizations in both the public and private sectors.