Security and the Internet of Things [Q&A]
Last year saw the Mirai botnet harness routers and other IoT devices to launch DDoS attacks against internet services.
Is this type of attack something we’re going to see more of in 2017, and what can companies and individuals do to protect themselves? We spoke to Sam Rehman, chief technology officer at attack prevention specialist Arxan Technologies to find out more about security and the Internet of Things.
BN: Let's start with last year and the Mirai botnet, how significant was that attack?
SR: Mirai was mostly about taking advantage of flaws in routers and doing that wasn't an easy thing to do. The attack was in four waves and was very well designed. However, once you know that it's a Mirai type of attack you know how to trace it back and how to stop it. The worry is what this means for the next generation of attack which might not be that easy to stop. If it's launched via a peer-to-peer network you won't have a single point of entry and it may be necessary to start shutting down services to fend off the attack. This type of threat is becoming a bigger and bigger problem and I don't think it’s going to slow down because the yield is so high.
BN: So potentially this is the tip of a much bigger iceberg?
SR: I think so and my biggest worry is that there are IoT devices which are always listening, Amazon’s Echo box for example. This isn't new, there were a number of attacks on Xbox a way back when it first came out. Whilst this is a great feature users need to be aware that the device is always listening and always recording.
In Europe one of the biggest attacks on credit cards was using CCTV and pattern recognition to capture images. The CCTV is likely to be pointed at the ATM, so footage combined with pattern recognition can give hackers your PIN number. Now imagine now much easier that is to do with a voice system. Voice has done a lot more on figuring out context, so you just have to listen for terms like 'social' and 'credit card' to begin capturing information and pick up things like social security and payment card numbers.
BN:Is there a risk from linking new IoT technology to older, legacy systems?
SR: Any time you update a data system capturing information there's a risk. Hackers love it when you go from one technology to another as you basically have a parallel system. With old and new technology together you’re going to put the security on the new system, but what happens to the old one? It becomes a tunnel to the new one -- because they have to talk -- so hackers won't attack the new system, they'll go for the older, legacy one. Many older systems were designed to connect via an RS232 port, nobody at the time thought it might be possible to connect them remotely.
BN: Does the problem need to be tackled by the device manufacturers or will regulation play a part?
SR: We need to have both. The latest EU regulations are very good, but there are only three reasons why a manufacturer would act. Firstly is when they suffer a breach, whenever that happens people react, it's unfortunate but it's a fact. Second, is government enforcement, if companies have to comply with legislation then they're forced to act and not just wait for a breach. That said, compliance is often treated as a check box exercise, so in itself is not enough. The third driver is liability, I hate litigation but it is effective. If a manufacturer leaves a device unprotected that potentially leads to a part of the internet being shut down for weeks, then why shouldn’t the manufacturer be liable? In the end it's a balance of innovation with responsibility.
BN: Do we need to see more from comms equipment manufacturers, allowing people to sandbox devices more easily for example?
SR: Yes, there’s now a standard called AGL (Automotive Grade Linux), the automotive and medical device sectors are driving greater security because that’s where much of IoT revenue potential has been in recent years, but it’s also the greatest risk lies as it can be a life or death situation. As we saw with Jeep in 2015 if someone can apply the brakes remotely consumers won't have confidence in the product. But these industries also have a better understanding of compliance needs in terms of patient and driver safety.
BN: Do we need to educate consumers more?
SR: There have recently been attacks where people have been able to steal from cars and then lock the vehicle again afterwards by intercepting the remote transmitter codes. The more that sort of thing happens, the more people will become aware of the problems. People need to be educated on what’s real rather that perceived 'Big Brother' risks. When we start to show people real cases then they'll start to recognize that there is a problem and press manufacturers and governments to do something about it.
BN: Does this need a shift in mindsets to recognize that it's not just a car or a fridge any more, it's a device that’s connected to the world?
SR: Absolutely. If you look at cars specifically, one car can shut down a whole highway. Attacking just a small number of cars in a busy traffic area at a particular time of day can bring everything to a halt and that is major. The same thing applies to medical devices as we rely more and more on smart systems, or even just the risk of data falling into the wrong hands. You just need to follow the money and see who would have something to gain from it, in terms of ransomware or whatever. It's not a matter of can it be done now, it’s a matter of how much effort will hackers put in based on what they could gain, whether that's cash or political power.