Recent massive DDoS attacks on Dyn, an Internet infrastructure company, caused massive disruption of services for Twitter, Spotify, Reddit, Amazon, Netflix, Paypal, and a host of other well-known sites.
With attacks like this, hackers have shown they can now harness the collective firepower of Internet connected devices, such as CCTV video cameras and DVRs, to launch sophisticated, highly distributed attacks involving tens of millions of IP addresses. With the proliferation of these so-called Internet of Things (IoT) devices, the potential impact is sobering. In the past two years, the number of IoT devices increased nearly 70% to 6.4 billion and according to Gartner. This figure is expected to reach 20.8 billion by 2020.
Since malware such as Mirai and Bashlite have been released to the public, hijacking IoT devices in order to use them as botnets will become the new normal. So why are IoT devices so vulnerable?
With the fast pace of growth in the IoT industry, security has not been a priority, much less a requirement, for IoT devices. And in the rush to bring devices to market, some manufacturers have taken short cuts such as hard coding default passwords into firmware, making it impossible to guard these devices against malware intrusion. Even with changeable default passwords, the end user would not be concerned with the security of his DVR or camera as long as it is functioning properly.
As these large-scale DDoS attacks become more mainstream, there will be negative impact on IoT manufacturers and retailers. Worse, it will negatively impact their supply chains.
A Chinese company, XiongMai Technologies, manufactured the compromised devices used for the Dyn attack. XiongMai components are also sold downstream to vendors and incorporated into other products. As a result of the publicity around the attack, XiongMai issued statements acknowledging the role their devices played in the attacks and also mentioned a potential recall of millions of their network cameras.
IoT devices used to optimize supply chain monitoring and performance can become weak links in the supply chain. IoT sensors are now used to ensure packages arrive on time, food is stored at optimum temperatures while in-transit, or alert shop floor managers of malfunctioning equipment. While millions of data feeds from these sensors bring more insights into the supply chain, they also open up additional avenues for malicious exploitation.
Since supply chains often span multiple companies and even continents, a global standards body for defining IoT cybersecurity is needed. Various cybersecurity experts have recommended IoT security certification standards similar to the ones Underwriters Laboratories (UL) enforces for the lighting industry worldwide.
In fact, the European Commission, recognizing the need for stronger IoT cybersecurity, is drafting aproposal for a labeling system that rates the security of devices connected to the Internet, similar to current EU ratings for appliances for energy consumption. The IoT proposal, slated for release in this month, is a part of the plan to overhaul the EU’s telecommunications laws.
U.S. lawmakers are also exhorting the Federal Communications Committee (FCC), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to respond to the threat of insecure IoT devices, stating that “we are witnessing a tragedy of the commons threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.”
So what can you do in the short-term to protect your supply chain or your brand if you are an IoT retailer? With the many “handoffs” along a supply chain from raw material sourcing to the delivery of finished goods, having more transparency into your supply chain is key.
You need to understand how your devices are sourced and who’s supplying the components that go into your IoT devices. Understanding your supplier connections, whether first tier or third tier, will help you identify suppliers with lax security.
Work with your IoT suppliers to come up with mutually agreeable “good-to-go” certifications that can help establish a minimum-security baseline for devices. Keep abreast of supplier news and IoT cybersecurity legislation to ensure you are keeping up-to-date on the latest security standards, product security requirements and supplier non-compliance.
If you have IoT devices in use within your organization, engage your IT security department to conduct risk assessments of these products. These periodic audits could include vulnerability assessments and penetration testing of said devices to maintain adequate security controls and protect data residing in your IoT systems.