Cyber security: Is the honeymoon period over for the IoT?

Jan van Vliet, VP and GM EMEA at Digital Guardian, examines the growing trend of ransomware attacks on IoT devices and discusses how the IoT industry’s shady security past could catch up with it in 2018.

This is a contributed article by Jan van Vliet, VP and GM EMEA at Digital Guardian 


2017 was a landmark year in the evolution of the Internet of Thing (IoT), but not for positive reasons. Unfortunately, it marked the first time that it was successfully targeted by a large scale cyber-attack, in the form of the Mirai Malware, which recruited IoT devices into a network botnet that was used to create large-scale, disruptive denial-of-service attacks all over the world. At the same time, another major IoT security red flag was raised by a group of researchers at the Def Con Hacking Conference, who successfully demonstrated it was possible to lock an IoT enabled thermometer with a targeted ransomware attack.


Traditional ransomware vs IoT ransomware

Before going any further, it’s important to distinguish between the traditional ransomware attacks typically found on PCs and servers, and the type of ransomware attacks starting to emerge on IoT devices. The former infects the target computer or device and then encrypts key data before asking the victim to pay a ransom in exchange for unlocking it again. While it can be possible to use data backups to restore devices without paying the ransom, in many cases victims are forced to cede to the attackers demands, which is why the ransomware industry is considered such a profitable criminal enterprise. 

The aim of IoT ransomware is different. Due to their nature, few, if any IoT devices hold meaningful amounts of sensitive data on them, rendering the traditional style of ransomware attack redundant.  As a result, attackers have been forced to change tack, instead focusing on using ransomware to lock users out of their devices completely. On the surface this may seem like more of an inconvenience than anything else, but when considered in the context of the example above from Def Con, being locked out of your home’s thermostat in the dead of winter could have significant consequences. When applied to a larger scale example such as the thermostats controlling refrigeration units in a food storage warehouse, or a data center air conditioning system, the motivation behind (and threat posed by) this new form of ransomware starts to become clear.


The IoT’s dubious security history

Unfortunately, the reality is that a huge number of the IoT devices currently in operation are extremely vulnerable to this form of attack. Why? In their rush to surf the crest of the IoT popularity wave over the last few years, manufacturers and vendors were creating and selling millions of IoT devices as fast as they could, with device security seen as little more than an afterthought.  As a result, the majority of devices out there today have default credentials, use insecure configurations and protocols, and are notoriously hard to upgrade, making them extremely easy to compromise.

To make matters worse, the appearance of low-level protocol hacks such as KRACK are providing attackers with new ways to bypass and compromise IoT infrastructure and inject or manipulate data found within devices. This will have serious implications if the devices need to synchronize or receive control messages from a cloud application, with manipulated data potentially sending incorrect settings or actions back to the device.

When considering the deployment of any IoT devices both now and in the future, a comprehensive evaluation of device security from a variety of different angles is now an absolute necessity. At the very least the evaluation should cover the following three areas:

  • Hardware: Physical security should always be a key consideration when evaluating any new device. Integrating tamper-proofing measures into device components means they can’t be accessed and decoded without permission. The inclusion of physical switches can also allow the user to turn off certain features if required, such as a mute button for any devices that feature microphones or audio receivers.
  • Software: Ensure that the manufacturer of any new device is adhering to strict software security code of practice. This should include the ability to update or patch the device remotely as/when needed, providing a good degree of future proofing.
  • Network: Secure protocols such as HTTPS should always be in place for any data exchange between the IoT device and backend management or storage solutions. Strong authentication methods should also be used, and any default credentials that came with/on the device should be immediately changed to strong alphanumeric alternatives. 

When the IoT was in its infancy, everyone was too excited about its potential to worry about future security issues, but now that the honeymoon period is over, manufacturers, vendors and users of the IoT all over the world need to start taking security much more seriously. Implementing basic security principles such as those mentioned above go a long way to defending against many of the emerging threats such as the new wave of ransomware attacks seen in 2017. However, if the IoT is to become truly secure, it’s time to start treating it just like any other IT system and ensuring the protection in place is as robust, effective and long term.