Documente Academic
Documente Profesional
Documente Cultură
CYBERTRUST
T
security blog (krebsonsecurity
he large number of insecure Internet of Things .com). Mirai’s strategy is quite simple; it uses a list of 62
(IoT) devices with high computation power common default usernames and passwords to gain ac-
make them an easy and attractive target for cess primarily to home routers, network-enabled cam-
attackers seeking to compromise these devices eras, and digital video recorders, which usually have less
and use them to create large-scale botnets. A botnet is a robust protection than other consumer IoT devices. The
network of infected machines or bots, also called zom- same month, a Mirai-based attack against the French
bies, that has a command-and-control infrastructure webhost OVH broke the record for the largest recorded
and is used for various malicious activities such as dis- DDoS attack—at least 1.1 Tbps, and perhaps as large as
tributed denial-of-service (DDoS) attacks (see the “Bot- 1.5 Tbps.4
nets” sidebar).
In November 2013, Symantec researchers discovered IOT SECURITY RISKS
the Linux.Darlloz worm, which exploited a PHP vulner- These DDoS attacks weren’t a surprise. Compared to con-
ability to propagate to IoT devices such as home rout- ventional computing systems, IoT systems are at higher
ers, TV set-top boxes, security cameras, printers, and security risk for several reasons:5
FEBRUARY 2017 77
CYBERTRUST
Insecure network services Vulnerability to denial-of-service, buffer overflow, and fuzzing attacks; network ports
or services unnecessarily exposed to the Internet
Privacy concerns Collection of unnecessary user data; exposed personal data; insufficient controls on
who has access to user data; sensitive data not de-identified or anonymized; lack of data
retention limits
Insufficient security configurability Lack of granular permissions model; inability to separate administrators from users;
weak password policies; no security logging; lack of data encryption options; no user
notification of security events
Insecure software/firmware Lack of secure update mechanism; update files not encrypted; update files not verified
before upload; insecure update server; hardcoded credentials
Poor physical security Device easy to disassemble; access to software via USB ports; removable storage media
vulnerabilities, patches or work- the physical environment, attacks to Network behavior analysis (NBA)
arounds might not be downloaded for such systems and devices could result programs—which can be installed
a very long period of time. Under these in major safety risks and endanger hu- and operated by administrators or
conditions, intrusion-detection tech- man life. Devising IoT-specific security provided by third-party services—
niques become even more important. techniques must be a research priority. continuously monitor data flows from
In addition, as many of the devices Defenses against conventional bot- routers and other sources and flag de-
themselves might not have power- nets can be broadly categorized into partures from established baselines
ful processors or sufficient memory, prevention, monitoring, and response. for traffic volume, bandwidth use, pro-
the intrusion-d etection analysis will Preventing bot infections is the tocol use, and other metrics. Users can
likely occur at a gateway device. most effective defense. This can be ac- also take a more active role in threat
complished through antivirus software detection by reporting typical ma-
A LONGER-TERM IoT complemented by intrusion-prevention chine infection signs such as longer
SECURITY STRATEGY systems, firewalls, content filtering and start-up or shut-down times, frequent
Mirai is just the first of a novel cate- inspection technologies, and applica- crashes, unexplained error messages,
gory of botnets that exploit IoT devices tion whitelisting. User awareness is and unusually slow operation.
and systems. Unfortunately, as history also critical, as malware often spreads If signs of a potential DDoS attack
shows, the deployment of defenses because of user mistakes, such as click- or infected machine are detected, a
against a given security threat is soon ing on email attachments. For exam- prompt response is critical to mini-
followed by new attack methods, such ple, Locky, a recent ransomware strain mize damage and prevent the malware
as recent DDoS amplification attacks that also recruited infected machines from spreading. Responses can vary
that use spoofed source IP addresses to into a botnet, was distributed via a from simple actions such as discon-
make it difficult for defenders to trace large-scale email spam campaign.8 necting a suspect machine from the
the attack’s origin.7 Thus, we can soon However, machines can become network to tracking, analyzing, and
expect more sophisticated attacks infected despite the use of security taking down botnets. NBA tools can
than Mirai with even more devastating techniques. It’s therefore critical to carry out some mitigation actions—for
consequences. In particular, because monitor network and device behavior example, they can redirect potentially
many IoT systems and devices have for anomalous events or trends that malicious traffic to other hosts using
actuation capabilities and can modify might indicate the presence of a threat. the Border Gateway Protocol or similar
FEBRUARY 2017 79