Experts at RSAC 2017 warn that the IoT Insecurity threat is real
The last three days of RSA Conference 2017, was sprinkled with references by various experts to the Mirai Botnet and how it exploited weak security on a range of Internet of Things (IoT) devices.
In the case of the Mirai Botnet, as known to many, the casualty of the DDos Attack, as identified, was the servers of Dyn, a company that controls a large pie of Internet's Domain Name System (DNS) infrastructure that brought down sites including Twitter, Reddit, Netflix, among others. Unlike other botnets, the Mirai Botnet was composed of simple IoT devices, such as digital cameras and DVD players.
According to the Ericsson Mobility Report 2015, in total, around 28 billion connected devices are expected by 2021, as opposed to their earlier claim of 50 billion devices by 2020. There's no doubt that the number of connected devices is increasing, mostly driven by a growing range of applications and business models, and supported by falling modem costs.
Whether it is 28 billion or 50, numbers matter, and that raises an important question: Can we secure the IoT in time to prevent another cyber-attack?
While discussing the 'Seven Most Dangerous Attack Techniques' at a panel on Wednesday at RSAC 2017, Ed Skoudis, a Fellow with the SANS Institute, a company that specializes in information security and cyber security training, said that malicious actors can now organize IoT devices as bot armies that are capable of taking down almost any organization or hold its data hostage.
As Gartner pointed out in its 2016 survey, IoT will move towards mainstream adoption. Less than a third (29%) of organizations were using IoT in 2016; however, an additional 14% were planning to implement IoT by 2017, with an additional 21% planning to implement after 2016. This brings the total percentage to 64%.
This is call for concern, if not panic.
Speaking at the panel, Johannes Ulrich, Director of SANS Internet Storm Center, said that small IoT devices aren't powerful enough to generate strong encryption, which makes them susceptible to the Mirai Botnet natured attacks. Ulrich stressed on the need to develop tailored algorithms to encrypt such devices.
A survey conducted by SANS Institute two years ago, noted that the success of IoT depends on emerging standards and acceptance. Clearly an ad hoc collection of IoT devices without security-oriented standards will be a total mess.
In a SANS 2016 Endpoint Security Survey, respondents said that they were still confused whether the types of devices respondents are connecting to their networks can be considered endpoints and whether they need protection policies.
The survey also noted that the sophistication of devices themselves is growing, along with recognition that these endpoints are an attack vector. Unfortunately, the embedded technology in these endpoints is often substantially different from that in conventional end user devices. For that reason, the protection technology is also different. As a result, end-point agents are not as standardized, and sensors are not as easy to integrate into a larger end-point protection solution.
At RSAC 2017 panel, Skoudis said, as the insecurity in IoT intensifies, more vendors will start issuing recalls for vulnerable devices, and that could force smart device manufacturers to take cyber security more seriously.