The IoT is in a quiet crisis.
It is a crisis of security in which we are not the targets, but the vectors. The Mirai botnet and all the other recent attacks have used vulnerable IoT devices and systems as the method and vehicle for attacking third-party websites, systems, and companies (remember Dyn?). Soon enough, and once the bad actors realize the value of IoT targets, our devices will be the targets, just as vulnerable as now if we don’t fix things.
These recent attacks have come about because of basic failures in simple security protocols for passwords, careless coders not closing a known SSH vulnerability, DNS faults, and a host of other factors that we know about. What we need to start thinking about is what we don’t know about, yet.
It’s already happening, of course. Within the last few weeks, hundreds of thousands of Deutsche Telekom customers in Germany had their broadband services cut off following a hack-attack on its hardware. At one point, as many as 900,000 people suffered internet outages. That number fell to 400,000 as security measures were implemented.
The company said the incident was likely part of an apparently botched attempt to infect customers’ routers with a new version of (guess who) Mirai. Deutsche Telekom issued a software update to its 20 million German customers and asked affected folks to disconnect routers.
This new strain of Mirai targets a flaw in the SOAP (Simple Object Access Protocol) service embedded in the Zyxel router products, allowing the malware to take over the devices, according to a PC World Article.
Security experts were, naturally, expecting this kind of thing.
“I am not surprised that this happened to Deutsche Telekom, as we know that most home gateways are insecure, yet present an attractive target for attackers because they are always on and always online,” said Cesare Garlati, chief security strategist for the prpl Foundation. “The problem in this instance was that the manufacturer updated its box from previous versions and left a service normally reserved for carrier use to maintain its service open to the internet and unauthenticated. We also need to change the mindset of the carrier industry and government to realize that there is no such thing as a secure backdoor or this is a problem that we will likely see again. Luckily, Deutsche Telekom was able to patch the issue, which was exactly the right thing to do, it just was maybe more reactive than proactive. In the future, I hope we see carriers considering manufacturers with higher security standards.”
Companies have been ignoring the warnings of security experts, analysts, and pundits for years in the search for more profit and faster product delivery to market. This is unacceptable.
“For years security pros have been warning about the dangers of the millions of insecure home routers like the ones targeted in the Deutsche Telekom attack this weekend. What has changed is the arrival of the Mirai exploit targeting these routers and other IoT devices. Mirai is to IoT attacks what the assembly line was to the industrial revolution,” said Jonathan Sander, vice president of product strategy at Lieberman Software. “We should expect to see bad guys manufacturing attack after attack with it. Unlike an assembly line, though, Mirai is downloadable by anyone. In the Deutsche Telekom case, it looks like the attacker may have set Mirai up incorrectly. It certainly wouldn’t be the first time someone set up large- scale software badly. Deutsche Telekom and others have a large challenge on their hands. Not every attacker will get Mirai wrong and save the day for them. And those years of warnings they and every other vendor have gotten about the poor security of IoT means they are years behind the problem.”
Rod Schultz, vice president of product at Rubicon Labs, added, “With this attack and with Mirai you are beginning to see the dangers with break once, break everywhere technology. You have an ecosystem of routers that are hosted by Deutsche Telekom that have little digital diversity (same hardware and software), and an exploit on one router appears to be working on all routers, or there is a cascading effect that is bringing down the network. Management of devices is simpler when they are all the same, but that simplification is also leveraged by attackers to compromise the system. To be clear, this is not a simple problem to fix, and that security challenge is going to be exploited by attackers for many years to come.”
A new report from Arthur J. Gallagher & Co. examines emerging cyber security exposures, how organizations can protect themselves, and practical steps to take before and after a breach occurs.
According to the report, the growing array of security and privacy threats pose significant financial, reputational, and physical harm to businesses, organizations, and the communities they serve. It is critical for organizations of all sizes to understand these various exposures and learn how to detect and address them.
The report, “Protecting Security and Privacy in an Interconnected World,” examines common and emerging technological vulnerabilities and the steps that organizations can take to prepare for, mitigate, and address them.
Adam Cottini, cyber liability insurance and risk specialist and managing director of the Cyber Liability Practice at Arthur J. Gallagher & Co., says in the report that cyber attacks can be financially, competitively, politically, or ideologically motivated. They can even be the work of thrill-seekers with no specific agenda. These attacks can come from outside or within the organization. Regardless of their origins or the motivations behind them, cyber attacks can have serious, potentially devastating consequences.
“Security may not always be the manufacturer’s top priority because considerations such as speed to market and returns on investment tend to overshadow the investment in security,” he said. “The more networked technology we use, the more ways there are for hackers to infiltrate databases and cause financial or physical harm. Thus there is a growing need for organizations and individuals to be vigilant in protecting connected systems from the consequences of these threats.”
To leave security on the back burner is becoming more and more foolish, and short-sighted. What’s more, it could spell the end of the industry for decades, if allowed to become irreversible.
The report recommends several steps that organizations can take immediately to ensure that they are better prepared when a breach occurs:
•Bring together representatives from all functional areas with responsibilities for managing cyber risk to identify and set high-level security priorities, understanding that reducing this risk involves more than an organization’s information technology team.
• Cultivate an internal culture of security awareness, educating and training employees to report suspicious activity or potential/actual breaches.
• Develop an incident response plan detailing the organization’s process for addressing a potential or known breach.
• Interview multiple qualified breach response attorneys in advance of a breach, and select more than one, in the event that a conflict arises.
The report examines the insurance coverage that can come into play in the event of a cyber breach, including the third-party liability and first-party breach response and operational costs that are eligible for coverage under a traditional cyber insurance policy. Some cyber exposures, including many related to the Internet of Things, are not covered by a traditional cyber policy but may be covered under other property/casualty insurance policies. Cottini digs into the steps that organizations should take immediately after a breach has been detected to ensure that insurance applies.
Given the number of coverage variables, Cottini recommends that organizations seek the advice of an insurance broker with expertise in cyber insurance to avoid encountering any unanticipated coverage gaps if a breach occurs.
Edited by Ken Briodagh