With the growth we are seeing of IoT enabled devices, every company wants to get in and hop on the bandwagon. The first few companies are the pioneers, taking risky steps and spending to make their devices smart. Eventually C-level people see the opportunity and realise that being relevant in the IoT space is critical. When the product line starts to stand out for not being smart, there is a scramble to overhaul the existing portfolio of devices. However that push to overhaul a product portfolio and make it smart can have some security risks along the way.
Two of the biggest levers which can have an influence on IoT security are the mechanics of the device, and the access to the device itself. Let’s think back to a couple of months ago, when a large number of IP cameras and other connected devices fell under control of a botnet, and launched a series of DDoS attacks to Dyn, a company that provides technology services to some of the biggest sites on the net.
This attack, like many others, used both of those levers. Firstly, the mechanics of the device. These cameras were built by a company that didn’t place a priority on device security. All the IP cameras were shipped with a default admin password which could be accessed from any IP. The company decided to not consider the implications of having devices open on a large scale, instead advising the end user, at configuration time, to lock down the device by setting a password and defining an access list. However a lot of end users, did not change the default settings – a case of “if it ain’t broken, don’t fix it”. The botnet “Mirai” used this vulnerability to infect the devices (Mirai is designed to scan IP ranges and when it sees an open port, it tries to connect with a list of about sixty default passwords and then install itself on the device).
The second lever was access to the device. The IP cameras were on networks which permitted access from the Internet, immediately making the device accessible from any system in the world, just like a web server. It’s likely that the main use case for a setup like this was that the end user wanted to be able to access the IP camera remotely, while off the local network, and the easiest way was to provide a public IP address directly to the device itself. This is quite a common occurrence – the provision of a public IP can easily satisfy a single requirement (e.g. inbound remote access), however it introduces with it a list of security considerations which are later forgotten, once the requirement is satisfied. It’s important that when a device is exposed to the Internet, it’s absolutely clear what needs access to the device and what needs to block everything else.
There’s not much a service provider can do for the first lever – that is down to the manufacturer and end user – but for the second lever, a service provider such as Pangea can help with the access. For example, at the consulting stage it could have been suggested devices keep private IP addresses but within their own private APN (“Access Point Name” – like a VPN) to the customers data centre. This means that the customer would get the advantage of cellular connectivity but with end to end connectivity between their company network resources and the cellular devices.
Alternatively if the customer needed public IP addressing, Pangea can facilitate that but also (in addition to the device security), introduce a network level firewall to assist in blocking unwanted traffic before it reaches to the cellular device. his helps another attack vector – overloading the device with connection attempts until it falls over and crashes or somehow allows access.
Forrester predicts that in 2017 hackers will focus even more on enabling the growing base of IoT devices and initiating a massive DDoS attack. On a more positive note, a lot more IoT security coherence and certification between service provider and manufacturer should see the start of getting a handle on this growing problem.
Pangea is keen to be part of the solution when it comes to security in the IoT environment. We want business to grow and realise their connected dreams, while being safe and responsible at the same time. If you have any questions around the security of your existing IoT deployment, or want to know more about customer APN’s, public IP services or have an IoT deployment in mind, please get in touch!