There’s an increasing push to add internet connectivity to all sorts of different home and office devices:remote-controllable and automatically adjusting thermostats and lights, refrigerators that report in with current stock data, and trash bins that signal when they need to be emptied, just to name a few common examples.
Prior to last year, asking why you would ever need to secure your trash bin would have been a valid question. The October attack that took cloud hosting service Dyn (and its clients, such as Reddit and Twitter) offline for much of a day should have made clear why security of the entire Internet of Things (IoT) is important.
IoT malware is real, and it is widespread. If a device has the ability to connect to the internet, then it has the ability to be incorporated into a “botnet,” or a massive collection of devices that can all be directed to make demands on a particular website or server at once. The strain of this massive amount of added traffic is too much to bear and takes them offline for a period of time, as happened to Dyn when it was hit by the notorious Mirai botnet, a collection of more than 100,000 “zombie” devices that continually stand by waiting for commands.
IoT devices are targeted for botnets because their security is generally somewhere between poor to completely nonexistent. Some have no password protection whatsoever. More commonly, they have a password, but it’s set at the factory and can’t be changed. They also don’t have active filters against attacks, nor do they receive regular security updates and patches in the way that operating systems for computers and mobile devices do. That means that when a hacking exploit is found for a particular device, there’s basically no way to update it to defend against it. If you can take over one device of that type, you can theoretically take over any that you can manage to reach over the internet.
It’s also hard to tell when your IoT device has been infected. When you get malware on a computer, it usually makes its presence known either directly or indirectly. For example, ransomware will get straight to the task of messing with your files, while a keylogger or something that sends files to a remote server will often bog down the computer and cause it to perform poorly. You’ve also probably got anti-malware or antivirus software installed that can provide a warning. None of these things is true with just about all of the current IoT devices. They’ll just keep quietly performing their normal duties, with no indication that they’re also being used by a remote hacker to cripple websites on the side.
The Future of IoT Malware
So far, the major malware threat has been a bunch of poorly secured devices in the home being weaponized against web servers. There’s an even greater potential threat lurking, however, and one that businesses in particular need to take note of. A compromised IoT device represents a potential backdoor for an attacker to slip into a network through. If the device has access to your business network and is trusted, in theory it could be used as an exploit.
Right now, IoT devices designed specifically for businesses are really no better secured on average than devices meant for the home are. The market actually drives manufacturers away from security, as most of these devices are manufactured in China where the companies producing them are in a continual cost-cutting war with each other. Proper security is generally just seen as too expensive to add.
That doesn’t mean that businesses needing to incorporate IoT devices into their network have to just roll over and take it, however. One option is to maintain a firewall between all IoT devices and the other portions of your business network. This isn’t a complete failsafe, however, as a compromised device might be able to execute code that can in turn penetrate the firewall. The safest bet at present is to have all IoT devices on their own separate network from which they can’t touch your business systems. Needless to say, they should also all be checked to make sure they aren’t still running the default password.
Tie National, LLC offers comprehensive business services including network security. If you’re interested in learning more about how to secure your business network from emerging threats, feel free to contact us with any questions you may have.