Johan Hybinette, CISO, Vonage
There is no shortage of IoTs (Internet of Things) out there and the demand is only growing. The sheer number of available IoTs are astonishing with already over 6 billion devices connected per Gartner. This will to grow over 20 Billion devices in 2020. Already, 5.5 million new things will get connected every day.
Great news for technology, but an independent study by HP reveals that 70 percent of the most commonly used Internet of Things devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.
Security researchers in Denver, recently built a drone based on the same idea used by Praetorian, but instead used a Raspberry PI, detecting various wireless IoT communications. The results were stunning, when a 40 minute flight revealed over 1000 devices. Most commonly used IoT protocols picked up were WiFi, ZigBee, and Z-Wave enabled devices.
Drone experiments like this could be even worse if hackers could hijack vulnerable devices and to use them nefariously. Cognosec, a Vienna-based team of security researchers demonstrated at Def Con/Black Hat how to exploit critical security flaws in ZigBee, allowing them to compromise all enabled devices on a network, including Alarm systems, door locks, garage doors, and even light bulbs.
The vulnerability is not a weakness in ZigBee itself, but in the way that ZigBee is commonly implemented that can be exploited. The problem relies in the way ZigBee protocol handles the keys it uses to authenticate the IoT devices it adds to its mesh network, allowing hackers to sniff out exchange authenticate keys. Malware has surfaced allowing attackers to create botnets from vulnerable IoT devices and launch distributed denial-of-service attacks (DDoS). For example, Mirai bots was driving much, in last month's high-profile DDoS attack on Dyn DNS.Devices infected with Mirai are instructed to scan the Internet for IoT vulnerable devices using default usernames and passwords, then in turm exploiting and joining them in to a mini army of bots capable of massive DDoS attacks.
The days are here, when your refrigerator will participate in attacks on the Internet. The worst part is that there is not much users could do to make their smart devices more secure, and since these vulnerabilities affects a broad range of devices, it is unclear how quickly vendors will respond and come up with a solution. Many of these devices are firmware based and do not upgrade easily. Malware can be installed and executed virtually undetected on a network. Unlike computers, there is no end point protection available.As popularity increases, vendors scramble to roll out products faster and faster, taking shortcuts, often compromising security and proper coding practices. Most all IoT devices do not even encrypt communications to the internet and local networks. Encryption is crucial to ensuring both security and privacy.
Privacy is becoming a growing concern and seldom addressed. Many IoT vendors, require the users to create accounts and load data from IoT devices in to the cloud. There is no protection standard of data collected such as address, date of birth, email, name, credit card, streaming data, and how it is used in the cloud. Vendors could easily sell this data to data mining firms without consent from end users. While devices can happily transmit information from behind firewalls across the internet in to the cloud, what insurance is there, a manufacturer cannot connect to your network from the cloud? Imagine, if someone could eavesdrop on your conversations in your house using an Amazon Echo? (Echo is a hands-free speaker, which you control with your voice) Development and operational standards for IoT devices is becoming a necessity to protect consumers and the Internet. It is imperative for manufactures to implement an end-to-end solution, addressing and identifying vulnerabilities before they become rampant.
To protect against these threats consumers should first invest in routers and firewalls capable to detect hostile traffic, and able to separate IoT networks from workstation networks. You may spend another $100 on a better firewall, but this is a small price to pay, protecting yourself