In 2016, threat actors pulled off a basic but devastating botnet attack that harnessed the power of the Internet of Things (IoT).
After gathering a list of 61 default username and password combinations for IoT devices, threat actors scanned the Internet for open Telnet ports and, when they found a vulnerable device, gained entry, eventually amassing an army of IoT devices to launch a massive DDoS attack.
This was the Mirai botnet attack. Though it began as a simple get-rich-quick scheme involving, of all things, the popular video game Minecraft, it led to a widespread Internet outage on the US East Coast.
In terms of ingenuity, the attack was fairly crude. There was no social engineering element and no clever attack machinery.
But if that kind of rudimentary attack destabilized an entire region’s Internet, what would a focused IoT attack do instead? And what types of IoT security are protecting users today?
Last month, for Cybersecurity Awareness Month, Malwarebytes hosted multiple educational webinars and cybersecurity training sessions for its employees, offering advice on strong password creation, two-factor authentication, and how to spot a phishing email.
In our final week of Cybersecurity Awareness Month, we hosted a live version of our podcast, Lock and Code, for our employees. In the episode, (which you can listen to in full here) we spoke to John Donovan, chief information security officer for Malwarebytes, and Adam Kujawa, security evangelist and a director of Malwarebytes Labs, about the future of cybersecurity for the Internet of Things.
What we learned was interesting enough to present to our audience in both our podcast and, today, as a blog on Malwarebytes Labs.
Crucially, the future of cybersecurity for IoT devices is not separate from the future of cybersecurity for all devices. In fact, as our use and reliance on IoT devices shifts from general convenience to full integration into daily routines, the two concepts may very well merge.
Here’s what is keeping us safe today, and what we can expect to keep us safe tomorrow.
IoT non-standardization: Boon or burden?
Perhaps non-intuitively, IoT devices are currently protected by the exact same infrastructure that leaves them vulnerable—they are not standardized. That means that many IoT devices out there today, from smart fridges to smart speakers to smart watches, are often built on different parts that run different operating systems that rarely, if ever, talk to one another.
From one perspective, that’s good, Kujawa said.
“Right now, the best security we have for IoT devices is that [development] isn’t standardized yet,” Kujawa said. “There are lots of different devices using different platforms, on different frameworks, with different protocols in some cases, and that confusion makes it difficult to do things like develop a serious security threat to these devices.”
From another perspective, though, this same non-standardization presents a threat to effective IoT security solutions.
“It also works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device,” Kujawa said.
Until that standardization arrives, Donovan said that a lot of IoT device cybersecurity hygiene falls to the users themselves. Donovan and Kujawa offered several best practices that consumers should be able to implement today, no matter their level of tech proficiency:
- Change the default password on your IoT devices
- Do not connect your IoT devices to networks you do not trust
- Stay informed about any reported vulnerabilities for your devices
- Update your devices
These four steps will better protect your IoT device from harm because, as we learned from the Mirai attacks, cybercriminals are primarily looking for easy targets. Think of it like actual burglary attempts: Thieves don’t often go looking for padlocks to try and pick, they look for doors that are unlocked.
Beyond these basic steps, Donovan noted that the lack of IoT standardization has created a higher bar for some users to fully secure their own devices and networks.
“All the things you would do to secure a corporate network? Now you have to do it in your house,” Donovan said. That includes several security best practices like segregating individual IoT devices and setting up a virtual LAN—or VLAN—to isolate IoT devices from the rest of a network.
No matter the level of tech proficiency, though, there’s more to cybersecurity than personal responsibility.
Donovan said that IoT developers should include automatic security updates by default. No automatic updates often result in no meaningful cybersecurity, and that goes for any popular device or software.
Where the problems really start to compound, though, is in the corporate world.
Cybersecurity issues for businesses
The Internet of Things is not there solely to help consumers set oven timers while cooking or to play a few rounds of the game show Jeopardy! when bored. In fact, countless manufacturing factories and hospitals utilize devices and equipment that routinely connect to the Internet for communication and operation. So, when one of those devices goes down, or if threat actors discover a vulnerability, the overall threat could be more severe.
Complicating the issue is that some of the companies that actually manufacture this type of equipment are small businesses that can sometimes fail, Kujawa said.
“I’ve heard about this plenty of times for plenty of hospitals, where they’ve got this equipment that’s running on Windows XP, and the company that built it doesn’t exist anymore, and they never released updates for it.” Kujawa said. “It puts the organization in a really tough spot.”
Imagine the many businesses in just this situation, saddled with a now-unsupported IoT device that is crucial to their daily operations. If a vulnerability is discovered, what options can they take? Remove the IoT device and lose days of production time, or risk running the device until a serious cyberattack hits, which would also incur high costs to resolve?
Either way, relying on specialized IoT devices made by small companies that cannot support their own products is a recipe for disaster, Kujawa said.
“Especially the smaller stuff and the specialized stuff, it’s very unlikely you’ll get security updates for that,” Kujawa said. “This is basically a vulnerability machine you can plug into your network.”
Despite the difficult cybersecurity realities today, the future of IoT devices looks potentially simpler.
The future of IoT cybersecurity
Much like how IoT devices are becoming increasingly crucial to businesses, these devices are also becoming increasingly integrated into our day-to-day lives.
It’s important to remember that our smartphones are not excluded from the IoT conversation, and every extension of our smartphones—tablets, smart watches, even far-away concepts like augmented reality glasses—will present us with more ways to connect to the Internet than ever before. No longer will cyberspace be relegated to the computer screen.
With that increase in popularity and daily integration, Kujawa predicted that the public would see the rise of about four to five primary IoT developers. It’s not hard to imagine today which companies will be included on that list; already, Apple, Google, and Amazon are cornering the market on smart speakers, smart watches, and, of course, cell phones.
Whatever those four major players will be, Kujawa said, there will also be a narrowing in the number of operating systems available for IoT devices. Once enough people have purchased enough IoT devices running on a limited number of operating systems, then, Kujawa said, the cybercriminals will strike.
“When we get to that point and more folks are using [IoT devices] for things like banking or social media, then that’s when we see the investment by cybercriminals,” Kujawa said.
But, Kujawa said, these cybercriminal waves will demand a cybersecurity response.
“When we see investment by the cybercriminals, that means that all of the security vendors, if they haven’t already been migrating to those platforms, they need to do that,” Kujawa said. “[If] that’s where the focus is going to be by the bad guys, that’s where the focus has to be by us as well.”
When asked if he could ever see a future where Malwarebytes and other similar antivirus tools run on IoT devices, Kujawa spoke matter-of-factly:
“Absolutely. We’re headed in that direction right now.”