As many topics in the infosec field, IoT security will get rehashed until people outside the industry start paying attention and do something about it. A little over a year passed since the Mirai botnet took down major websites through a DDoS attack of unprecedented scale.
Now, another massive IoT botnet threatens to cause even more damage and infosec people know the risk is real, FUD headlines aside. Naturally, we couldn’t miss IoT security as a discussion topic at DefCamp this year! That’s why Sabin Potîrcă, Technical Project Manager in the Experimental Research Unit at Bitdefender, will join us on stage in less than two weeks. Of course, we just had to probe Sabin’s experience on the topic and help share some actionable advice for the people beyond the industry’s confines.
It all starts with the widespread, “blissful” ignorance that most end users have for securing their IoT devices. Sabin believes that:
“usually, people associate security with their computers and phones. They don’t fully understand the valuable information that is available on simpler IoT devices.”
Will it take another IoT botnet-fueled attack make IoT security a pressing matter for both software and hardware makers and the users who buy these products? Sabin believes there are two fronts here:
“1. Consumers – They need to be educated about the dangers that come with poorly secured connected devices
2. Regulators – As there are mandatory regulations when it comes with devices that use Radio Frequencies, there should also be regulations related to cyber-security for connected devices (IoTs).”
Complex as it may sound (because it is), IoT security often breaks at a point where so many other security layers fail:
“ The most common points of entry [for attackers] are default passwords and weak (or the lack of) encryption.”
From an everyday user’s perspective, things seem rather harmless. This happens because of the user’s disconnect from the bigger picture. “One of the most common consequences that is somehow invisible to the user is the fact that vulnerable devices can be part of a larger botnet (see Mirai for instance) that actually do a lot of harm to a wider audience.”
Another aspect that IoT users don’t see if their dependency on device manufacturers.
This aspect is most visible in the case of a security compromise. “Usually, the most common restoration process requires an update from the IoT vendor. While it’s not necessarily a generic problem, we’ve seen cases with vendors that have not patched their software even years after vulnerability disclosure.”
Given the responsibility that manufacturers have over the devices they sell, we asked Sabin if regulation could help stop the overflow of unsafe IoT devices on the market.
“If not stop, at least greatly reduce the speed with which unsafe IoTs reach the market. The reason is that, in a large portion of cases, the vulnerabilities are trivialities when it comes to security and securing one’s device. We’ve seen bugs and vulnerabilities that resemble cases from more than 20 years ago. While a security specialist considers those vulnerabilities “common sense”, it seems that the plethora of companies that develop their own firmware/software have missed that train :)”
Since IoT devices made their way into organizations years ago, this brings out another discussion topic:
To what extent are companies that have bought and currently IoT devices entitled to demand improvements in security post-purchase (maybe after they realize what’s at stake)?
Sabin mentions that “this is a grey area”. “While, for most devices, the EULA specifies that the vendor is not responsible for the damages that any bug in the Hardware of Software may incur, there have been cases when vendors got penalized for not offering a timely update for grave security issues.”
Sabin has the next security challenge he wants to work on already in sight:
“For me, I think that the upcoming GDPR regulation will be “interesting” to say the least. This regulation is obliging businesses to comply with new requirements or risk a fine of four percent of their annual revenue. To comply, businesses all over the world need to identify any data that falls under GDPR control, document how this data is secured, and create comprehensive policies around privacy rules and rights. It’s definitely a step in the right direction, but will it be enough?”
That’s a cliffhanger that will definitely spark many debates at DefCamp. Until we get to it, make sure you don’t miss Sabin’s talk on Remote Attacks against IoT and take advantage of the last days of normal ticket prices. November 1st and the new prices are approaching fast!
The interview & editing was made by Andra Zaharia.
DefCamp 2017 is powered by Orange România and it’s organized by the Cyber Security Research Center from Romania (CCSIR) with the support of Ixia, a Keysight Business as a Platinum Partner, and with the help of Bitdefender, SecureWorks, Amazon, Enevo Group and Bit Sentinel.