The pushing of billions of insecure Internet of things (IoT) devices into the market has already “poisoned” the Internet with a level of vulnerabilities that will be hard to claw back from, one security specialist has said in warning that “the damage is already done”.
Businesses and consumers had rushed to install connected video cameras, home appliances, smartwatches and other IoT devices based on an underlying assumption that their manufacturers were managing security correctly, Fortinet global security strategist Derek Manky told CSO Australia – but this assumption was simply wrong.
“I think it’s completely backwards,” he explained. “These devices should be inherently not trusted because they’re the largest culprits that we see for attacks. They’re wide open for attack, there are no patches available, and most of these devices already live in enterprise networks. They can be used as launchpads [for other attacks] because they’re not security-inspected traditionally.”
A new analysis from Gemalto has highlighted the overall threat that IoT poses, particularly in Australia – where 43 percent of respondents said they are spending between 5 and 20 percent of their IoT budget on security.
Some 57 percent of respondents said they are increasing their security offering as a result of greater IoT investment, with just 53 percent saying they encrypt the data that their IoT devices produce. Australian respondents were far more likely than the global average to put responsibility for security onto developers of IoT APIs, with far fewer Australians putting the onus on IoT security specialists, manufacturers, or cloud service providers.
Australian companies were more likely than overseas peers to blame the complexity of IoT security on issues such as the high cost of IoT security (named by 47 percent of respondents) and the volume of data being collected (44 percent) but were far less concerned about the lack of external guidance or regulation on how to secure IoT.
Growing concern about IoT security has driven initiatives for stricter security testing and labelling regimes, with bodies like the Internet of Things Alliance Australia (IoTAA) and the European Union Agency for Network and Information Security (ENISA) among the bodies tackling the issue.
Businesses often previously installed IoT-like devices on airgapped networks that minimised their exploitability to outside intruders. However, the growing demand for connectivity and manageability of such devices had produced unintended security vulnerabilities – and black-hat hackers, he warned, are wasting no time tapping into automation and artificial-intelligence technologies to find and exploit them.
“For the vast majority of consumers, patching software on a smart device, or updating its firmware, is something they won’t be aware of, and may not understand how to do,” warned RIoT Solutions managing director Rob Merkwitza, who warned that recent exploits like the KRACK Wi-Fi vulnerability had exacerbated the potential vulnerability of IoT devices that tend to favour Wi-Fi as their connectivity method of choice.
In industrial scenarios, Merkwitza added, “there’s the mentality that if something isn’t broken, then it shouldn’t be fixed. Managers of industrial Internet of Things (IIoT) equipment may not realise that their devices are vulnerable to the attack, and so they won’t patch them.”
“Industrial systems that are going to be updated also need to be handled carefully because of the dependencies associated with the equipment. Careful testing, to make sure that everything keeps working after a patch has been issued or firmware made available, will have to be carried out.”
All-out AI war. Even as IoT security guidelines expand over time, the continuing introduction of the devices was driving fundamental changes in network configuration and management that can create significant, ongoing problems as attackers get even better at exploiting them.
Increasing intelligence in attack code allows attacks to, for example, identify IoT targets by model and then deliver a customised payload specific to that particular device. This commonality of code is allowing them to assemble many types of devices into ever-bigger botnets, such as the more than 100,000-strong network created by the recent Mirai-derived Persirai malware, in an extremely short time.
“The blackhats are using automation and intelligence as a tool to make the time to breach less than ever,” Manky said.
The potential damage caused by such activities was compounded because, he offered, many CISOs are still failing to identify their ‘crown jewel’ data assets and segment them away from exploitation by compromised devices. This had left critical databases coexisting on networks with exploitable IoT devices – and once hackers start using those devices as conduits into a corporate network rather than harnessing them for outward-facing botnets, data breaches are inevitable.
“Because of automation on the black-hat side, there are security events generated left, right, and centre,” Manky said. “CISOs say there is too much noise – which is why we need to be much more advanced in terms of white-hat security solutions.”
Growing integration of AI algorithms and techniques – a recent Teradata study found 70 percent of businesses are seeing benefits from use of AI in security and governance, or expect to – is revolutionising business applications as well as cybersecurity defences. This process, Manky warned, was fuelling an AI ‘arms race’ that is rapidly turning the whole process of network defence into a “war of AI” that would pit malicious AI engines against algorithms that have been tuned to detect and block those attacks.
“It comes down to time-to-breach versus time-to-respond,” he said, “and how quickly you can find a threat, defend it and shut it down using the kill-chain cycle.”