According to a survey by PricewaterhouseCoopers, almost 70% of connected IoT devices lack fundamental security. According to analyst firm IDC, “the number of IoT devices will grow from approximately 6 billion in this decade to 28 billion in 2020 — a staggering number. The market for wearable smart devices alone is expected to increase at an average rate of 60% per year to $20 billion in 2017.”
In this third installment of Securolytics’ series on IoT device security, we look at a major issue with IoT devices, the software patching process. Or often, the lack thereof.
IoT’s Rough Patch
All devices with complex software have vulnerabilities that will be exposed over time and will need to be patched. Unfortunately, many, if not most, IoT devices have no automatic software update capability, and many have no user interface to manage the update process manually. How do you know if there are patches that need applied to your WiFi and Bluetooth-enabled door lock? And, even if you knew that there were issues that needed to be addressed, how would you update the firmware? The issue promises to get worse as connected devices become both more common and less expensive.
Currently, many IoT devices are relatively expensive, “luxury” items aimed at early adopters– think Fitbit, Google Nest and Amazon Echo. The companies marketing these products have active customer support departments and internal software development teams offering regular software and feature updates. However, as more and more commodity-type items gain Internet connectivity, expect to see devices marketed by one company, with hardware manufactured by one or more third-party manufacturers, and embedded software provided by yet another set of companies, all oriented toward having the lowest up-front cost, greatest “ease of use” (less security hassle), and little to no support after the sale.
This trend is exemplified by the security cameras and DVRs used in the DDOS attack against French hosting provider OVH and security journalist Brian Krebs last month. In March 2016, security researcher Rotem Kerner analyzed a single type of DVR firmware used across 70 different brands, and identified vulnerabilities which could be easily exploited for a complete compromise of the DVR. These camera systems had already been implicated in a 2013 attack against point of sale systems, in which the cameras were used as an entry point into the networks of retailers. He managed to track down the company that actually provided the bundled hardware and software, Chinese company TVT, but received no response to his inquiries informing them of the specific issues. No patches or updates were forthcoming. These devices, numbering in the tens or hundreds of thousands, are still connected to the internet, still compromised, and still available to be used for attacks.
Even more disturbing, the majority of the devices used in the attack on OVH were not compromised in this manner. They were simply compromised because the Web server software embedded in the DVRs uses well-known, hard-coded admin usernames and passwords. A significant percentage of users are not going to go through the hassle of changing the passwords from the default settings, even when connecting the DVRs directly to the Internet. A hacker found the hard-coded credentials for several models, then created a script to crawl the internet, find devices that responded as camera systems would, and try the default usernames and passwords. A half-million compromised devices later, he was able to leverage the DVR botnet to launch the largest DDOS attack on record. This was not rocket science, as how-to videos for camera hacking via password guessing have been posted for years.
So what is a business to do to ensure IoT devices on their networks are not compromised and used in this manner? Do you know what devices you have on your network? Could one or more of the devices on your network be used to attack you or anyone else? And, if compromised, do you know what data on your network can be exfiltrated?
The experts at Securolytics can help you answer these questions with www.zerotosecure.io. We are on the forefront of protecting our clients– large organizations to medium size corporations– from IoT cyber-crime.
With zerotosecure.com as your partner, we can look at typical IoT behavior and if your device acts outside of the norm, we can correct the issue before it causes damage. We can stop your IoT devices from being compromised and used in the way hackers attacked OVH.
Our cloud-based threat detection and analytics platform is purpose-built to address gaps in perimeter-based defenses by identifying the symptoms of a , malware infection, data breach and criminal activity through and anomaly detection and behavioral analysis.
Contact us. From large enterprises to small businesses, you can be ahead of the curve against IoT cyber-crime.