How the ‘insecurity of things’ creates the next wave of security opportunities
- January 22, 2016
- Posted by: Ken Stilwell
- Category: IoT, Security
More than 5 billion IoT devices were installed in 2015. Gartner estimates this will grow to 20 billion by 2020. Unfortunately, experts agree that security is not only an afterthought, but often is actively resisted and circumvented.
IoT devices are attractive to hackers because they have very weak login credentials, are “on 24/7” and have little to no secure communication channels. Hackers have started using these compromised devices to launch DDoS attacks, and even sell Instagram and Twitter robo “likes” for the vain.
Data from an HP IoT study shows that 80 percent of IoT devices failed to require passwords of sufficient complexity and length. As much as 70 percent of the devices did not encrypt communications. And 60 percent of these devices raised security concerns with their user interfaces. In an OpenDNS IoT study, 23 percent of respondents said they have no mitigating controls to prevent unauthorized device access in their company’s networks.
In an IoT security study conducted by Yokohama National University, researchers created an IoT honey pot, or an IoTPOT, to attract the bears. They found that Telnet-based attacks on IoT devices have rocketed since 2014. Telnet is a communication protocol that has no encryption or authentication. All data is transmitted in plain text. Yet a large number of industrial and scientific devices have only Telnet as a communication option.
Secure Shell protocol, or SSH, is a better option, but it increases bandwidth overload. And worse, some IoT devices cannot be configured to SSH, unless the interface appliance can be re-configured. With 70 percent of devices communicating in plain text, breaking in becomes easy.
New malware is being developed to target IoT.
Katsunari Yoshioka, who conducted the IoTPOT study, says, “Using an over-30-year-old insecure remote access service like Telnet for global access is technically simple and easy to fix. But the mass infections shows how many manufacturers do not really care, or do not know how to secure their products.”
Once hackers gain access to devices, the next step is infection of the device; the last step is monetization. Five distinct DDoS malware families targeting Telnet-enabled IoT devices have been invented. Your DVR has already being hacked and used as a botnet — you just don’t know it!
In fact, more than 56 “types” of devices, such as wireless routers, DVRs, IP Phones, web cameras and even heat pumps were found to be compromised. Spreading infection to other IoT devices with worm-like behavior often helps hackers build their DDoS botnet army quickly. And as much as 83 percent of binaries identified are new — in other words, new malware is being developed to target IoT.
The range of IoT insecurity challenges already identified include Belkin Wemo Home Automation Devices and LIFX Bulbs (both had keys embedded in the firmware), refrigerators turning into a botnet for sending spam and, every parent’s nightmare, a baby monitoring camera hacked by remote viewers.
Wearables are equally lousy when it comes to security. An HP IoT study found smartwatches often send data to multiple backend destinations (often including third parties). Smartwatch communications are trivially intercepted in 90 percent of the cases and 70 percent of watch firmware was transmitted without encryption. Indeed, 30 percent of watches and their applications were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access to user accounts. While these are consumer “things,” the enterprise IoT playground is where the money is bigger.
Industrial, building automation, energy, transportation and healthcare are a verticals in which we will see a proliferation of these devices. IoT will play an active role in equipment monitoring, maintenance, troubleshooting and automation. The money gets staggering — GE estimates that $20 billion a year is currently spent on maintenance of industrial machines ($10 billion on aviation, $ 7 billion on utilities/oil & gas, $3 million on locomotives and $250 million on healthcare).
This maintenance adds up to 330 million man-hours. In other words, lots of data to optimize the parts and processes and reduce such maintenance costs and downtime. Other giants, like Siemens, Bosch and Honeywell, and others, are leaping in to grab a slice of the IoT market. Combined, Gartner expects as many of 20 billion IoT units will be sold by 2020.
Internet of Things Units Installed Base by Category (Millions of Units), Source: Gartner November 2015)
The IoT management layer is being tackled by the likes of Samsara and Afero, while Veniam has tackled connectivity for an entire “smart city.” Nokia has launched an IoT Platform, along with a $350 million IoT fund. Samsung wants to deploy $1.2 billion in IoT.
Once hackers gain access to devices, the next step is infection of the device; the last step is monetization.
Startups focused on IoT security, like Bastille Networks (backed by Bessemer), look for RF signatures, while ZingBox and SmartOrbis are taking a shot at cloud-based analytics and device behavior anomalies. Mocana (backed by Shasta, Trident) recently teamed with Schneider Electric to strengthen its energy management offerings.
A newcomer to this space, Qadium, wants to take a different approach and catalog all devices and be a “Google Street View” for the internet. The company, which announced a $20 million Series A round led by NEA, was seeded by Peter Thiel’s Founders Fund. Trae Stephens at Founders Fund says that Qadium’s ability to look at an entire network combined with speed and scale made it a compelling opportunity.
Qadium CEO Tim Junio says that Qadium’s cataloging approach will give its customers an edge as the attack surface widens. “There is no a priori ability to identify what parts of the global internet are relevant to customers. To solve this, we need an internet-scale approach. We have created a dataset to answer questions that customers often do not know to ask. In our research, we did not expect to see misconfigurations in critical infrastructure that, if compromised, could cause literally tens of billions of dollars of global price fluctuations in certain markets.”
The IoT landscape is vast and challenging. For one, the complexity of hardware designs and memory/battery limitations cause constraints. Managing OS variants, communication protocols and application areas will be no easy task for any enterprise insurance underwriters who are collecting upwards of $1 billion each year in premiums. Yet underwriters need visibility in the IoT fabric.
Underwriters Laboratories (UL) has already launched a Cybersecurity Assurance Program (CAP) for a variety of devices, offering its stamp of approval. “For underwriters, real-time visibility at the device layer is essential to develop a robust risk premium pricing models” says Trae Stephens. Where human lives may be at risk (healthcare devices/insulin pumps/power plants), regulatory forces may step in to ensure security no longer remains an afterthought.
As the IoT market evolves, acquisitions have started to heat up. Amazon acquired 2lemetry. ARM acquired Sansa Security. Parametric Technology acquired ThingWorx and Axeda. Blackberry acquired Certicon and SecuSmart to bolster its offering.
As the number of devices grows rapidly, acquirers will step in to strengthen their own security posture. And that should be music for IoT security startups.