“The Internet of Things is turning into a security nightmare.”
So wrote Thomas Ricker, a respected systems engineer and deputy editor of the The Verge, in describing the enormous distributed denial of service (DDoS) attack that disabled wide swaths of the Internet in late September 2016. This is no hyperbole. Mr. Ricker’s statement succinctly describes the current state of Internet of Things devices’ vulnerability to cyber attack and hacking.
According to a leading report by Malwarebytes Labs, there were nearly 1 billion malware detections and incidents, affecting nearly 100 million devices in more than 200 countries, during the June to November 2016 period alone.
The United States is the top country for ransomware detections, as Americans are targeted because of their wide accessibility to technology and their ability to pay the ransom.
Unprotected Devices Are Begging for an IoT Cyber Attack
IoT devices are particularly vulnerable to cyber attacks from botnets—a network of private computers infected with malicious software and used to spread malware.
The aforementioned DDoS attack was orchestrated by a botnet that spread Mirai, an open-source malware, which compromised many IoT devices and home routers, with all of the infected devices being controlled by a single source. This brought down many well-known websites.
Less than a month later, Mirai was used to attack Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. This attack, which compromised security cameras, prevented millions of users from accessing popular sites such as Twitter, Reddit, and Netflix.
Mirai is a particularly insidious malware. It scours the Web for IoT devices protected by little more than factory-default usernames and passwords, using an internal database of default names and passwords to gain entry to connected devices. After gaining access, Mirai attacks by throwing junk traffic at an online target until it can no longer accommodate legitimate users.
It is unlikely that we have seen the last of Mirai. The hacker who created Mirai released the source code for it, thereby enabling anyone who wants to instigate a botnet attack to use the malware.
Unsecured Firmware Can Be a Cesspool of Insecurity
Passwords in IoT products are embedded in the firmware. Firmware is software that controls the basic functions of a particular device; all computing devices rely on it.
Devices such as smartphones and computers have operating systems, which help consumers manage the firmware. But devices without operating systems built in, such as routers and smart devices, render firmware difficult or even impossible for users to manage.
This scenario results in firmware potentially being a cesspool of insecurity.
Many manufacturers view building security protocols in their devices as an unnecessary expense that eats into their margins. Consumers rarely think about applying patches (i.e., software that fixes security vulnerabilities) or installing updates on their devices—and because consumers don’t demand firmware support, manufacturers don’t provide user-friendly ways to update firmware used in their IoT devices.
This kind of neglect has resulted in cyber bugs such as the Misfortune Cookie, which in 2014 was discovered in the firmware of more than 200 router models. This bug allows attackers to monitor Internet traffic channeled through an unsecured router, steal passwords and login credentials, and spread malware to other devices.
Securing Firmware Is a Critical Cybersecurity Measure
As firmware is the heart and soul that runs IoT and connected devices, securing it is key to reducing cyber risks. Manufacturers of IoT devices and other entities involved in securing, underwriting or litigating products that face cybersecurity risks should begin their examination with a firmware evaluation.
As there are numerous attack vectors, a constructive place to start is to employ an expert who can efficiently reverse-engineer firmware to reveal vulnerabilities ripe for remote exploitation by hackers, thieves, and state-sponsored actors. This process should be done at the design phase of any IoT device.
Another proactive step that IoT manufacturers should take to protect their devices is to employ engineers and developers that are able to think like cyber attackers and understand how to exploit their own devices. Security training on exploiting embedded software is the key to their success.
Effective embedded firmware security training is live, hands-on instruction that combines lectures and labs in which students hack off-the-shelf devices that are already on the market. Students will learn to protect their companies’ embedded devices and join others who have a stake in security.
The importance of having an IT staff solidly educated in cybersecurity is not only a good business practice but effectively required by law.
As discussed below, the Federal Trade Commission (FTC) includes security personnel practices in its IoT security guidelines and states’ attorneys general are taking action against IoT companies that do not secure their devices
The Law Mandates Secure IoT Devices
The Federal Trade Commission
As the number and powerful effects of IoT exploitations surge, companies must shore up their security on embedded devices to mitigate risk.
Failure to do so violates the Federal Trade Commission Act (FTC Act), which prohibits “unfair” and “deceptive” acts or practices affecting commerce. Violations of the FTC Act can result in substantial fines and other sanctions on the parties responsible for securing IoT devices—typically, the manufacturer, importer, or vendor.
The FTC has brought hundreds of cases in which it sought to protect the privacy and security of consumer information. In these enforcement actions, the FTC has alleged that various companies acted deceptively in violation of the FTC Act by, among other things, failing to provide reasonable security for consumer data.
One of these cases involved a company whose vulnerable software enabled hackers to use malware that allowed access to consumers’ usernames and passwords for financial accounts. The company informed its customers that updating the software would make its systems secure, but the updates only removed later versions of the software, leaving in place older software that could be easily hacked.
In order to mitigate the possibility of legal violations, the FTC has issued some recommended best practices for IoT device manufacturers. These include security by design, security risk assessments, security testing measures and security personnel practices.
The Federal Communications Commission
Late last year, the FCC commenced a rulemaking in which it sought comment from all interested stakeholders concerning the best methods to ensure the security of the IoT infrastructure. The FCC was fundamentally concerned with the roles and responsibilities each IoT stakeholder should have; it intended to promulgate new cybersecurity rules for IoT providers.
That proceeding began under former FCC Chairman Tom Wheeler. The new Chairman Ajit Pai discontinued the rulemaking with virtually no explanation. The FCC may recommence this proceeding, but as of this writing no specific timeline has been announced.
Cybersecurity Laws May Be Written by State Attorneys General
The New York State Attorney General recently took the unprecedented step of taking legal action against a wireless security company for failing to implement adequate security in its IoT devices. The case involved a wireless lock company, which ended in settlement after the company agreed, among other things, to implement a stringent cybersecurity compliance program.
The crux of the case is that the company’s locks had substantial security deficiencies, in spite of its advertising that the locks protected belongings by securing areas. This violated New York state laws that prohibit deceptive acts or practices and false advertising, and that give the Attorney General power to enjoin repeated fraudulent or illegal acts.
The lawsuit began when researchers reported in August 2016 that the company did not encrypt its users’ passwords when transmitted from a smartphone to the locks, and did not force users to reset default passwords, which could be discovered easily by brute force attacks.
The settlement requires the lock company to implement a comprehensive security program, including encrypting all passwords and prompting users to change default passwords during the initial setup.
Endure and Thrive in the IoT Security Tsunami
The IoT cyber attack pandemic is bad, and until IoT providers impose sufficient security measures in their devices, it will only get worse.
The importance of IoT suppliers evaluating and securing the firmware in their devices and taking other security measures cannot be overstated. Failure to do so leaves suppliers vulnerable to violations of the FTC Act and, increasingly, state laws.
IoT suppliers should also remain aware and informed of the ever-changing IoT regulatory and legal landscape. A good cybersecurity attorney can assist you with risk assessment and management, as well as best practices to ensure compliance with the latest laws policies.
The IoT security tsunami is real. IoT providers must understand the specific risks to their companies and work diligently to mitigate them. IoT companies that ignore the cybersecurity threats do so at their peril.