How Secure Is Your IoT Deployment?

The most recent distributed denial of service (DDoS) attack has people talking about the security vulnerabilities in the Internet of Things (IoT). Should people disconnect their nanny cams and turn off their smart thermostats? And do industrial IoT deployments have the same weaknesses?

First, let’s look at what actually happened. The unknown attackers took advantage of the fact that many people don’t bother to change the factory settings on their Internet-ready devices. The attackers began with ”botnet herding,” trolling the Internet to identify devices that could be compromised—and they found millions of cameras and other devices with default passwords that they could use as part of a botnet. They targeted Domain Name System (DNS) provider Dyn with a barrage of DNS lookups from these compromised devices. The spike in traffic caused massive performance issues, so frustrated users refreshed their browsers, causing even more traffic. It took Dyn several hours to find a fix that worked, leaving popular sites like Twitter, Spotify, and Netflix down for most of the day.

So what lessons can we take away from this incident?

Four things come to mind:

1. It shouldn’t be an option to use the default password on Internet-connected devices. IoT manufacturers should require a password change during the setup process, and they should require a certain level of complexity in the password as well. This step alone would have prevented the botnet herder from finding devices to exploit.

2. Organizations should not depend on just one DNS provider. Use multiple providers so if one is attacked you can automatically go through another one.

3. Passwords alone don’t prevent this sort of attack. Often, in the course of releasing a product, IoT manufacturers identify security vulnerabilities but don’t fix them until the next update is released. Manufacturers should either fix known vulnerabilities before they ship the product, or they should force the user to check for updates during setup. Some manufacturers, such as Nest, actually provide automatic updates so the user never has to think about it. (But, of course, if you do that, your software quality has to be extremely good.)

4. Isolate the critical components of a system from the interface components. In a car, for example, the “infotainment” system should be isolated from the safety and operational components that control the airbags or self-driving functions. You don’t want a hack of the radio to compromise the safety of the passengers.
So far, the discussion around the DDoS attack has largely centered on consumer products. But the consequences are potentially much worse in an industrial IoT setting. If an attacker hacks a $30 million dollar machine, it’s not just going to cause some inconvenience. It could cause real physical damage to the device, to the business, and even to human life and safety. And if it’s a widespread attack, it could have a broader economic impact as well.

At Uptake, we’re in a position to mitigate some of this risk for our customers. Ensuring data integrity is at the core of what we do. In order to provide accurate predictions and insights about the health of our customers’ assets, we need to have a high level of trust in the data we get. So ensuring that the data isn’t compromised before it even gets to us is an important part of our job.

When a customer or partner sends us data generated by their IoT assets, we work with them to analyze the source of this data and the security of its environment. We have in-house capabilities to perform a deep analysis of the attack surface of each IoT-connected machine generating the data. Then we work with our partners to improve the security of their machines where needed.

While there’s been a great deal of talk in the past week about the security weaknesses of IoT, I’m glad to say that there’s plenty that can be done to keep your data and your assets safe and secure. Start by changing those passwords!

Nick Percoco is Chief Information Security Officer at Uptake.