Tag Archives: Iot

The IoT brings down the Internet

29 October 2016

Last Friday, a large botnet, which was powered by the Mirai malware, caused a significant outage of Internet in the United States. This headline in MOTHERBOARD sums it up: ‘Blame the Internet of Things for Destroying the Internet Today’.

IoT devices are inherently insecure.

  • IoT devices are, for instance, very often secured by default passwords, which need not be necessarily changed during startup. And for ease of startup WLAN is powered on by default.
  • A software life-cycle concept, e.g. patching of critical vulnerabilities, is in general not provided. With this, the devices become vulnerable to the exploitation of new critical software bugs during operating time.

A single compromised IoT device creates no significant impact on the internet. But if attackers exploit the vulnerabilities of millions of devices and join them to a botnet, it is very likely that this will have a major impact even on well secured critical infrastructures.

We need to save the Internet from the IoT. Strict statutory guidelines are required to prevent the collapse of critical infrastructures. Some easy to implement technical rules are for example:

  • WLAN is by default off.
  • WLAN can only be activated through an out-of-bound connection.
  • WLAN is activated only after the default password has been changed.

A security label for IoT devices is required to support consumers. The European Commission already established the basis for a security label in the ‘Cybersecurity Strategy of the European Union’, published February 6, 2013:

‘Develop industry-led standards for companies’ performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market.’

Devices which do not comply with the basic requirements should be labeled accordingly. In addition, the vendors of such devices are obliged to take out a cyber insurance to mitigate the impact posed by insecure devices.

In ‘We Need to Save the Internet from the Internet of Things’ published on October 6, 2016 in MOTHERBOARD, Bruce Schneier states:

The IoT will remain insecure unless government steps in and fixes the problem.

Let’s start!

Have a good weekend.

Advertisements

A trusted device on a trusted network? A dangerous illusion!

24 July 2014

Some days ago I attended a webinar about Cyber security. While discussing the challenges of BYOD someone stated:

‘In a hyper connected world thousands of trusted devices connect to your trusted company network.’

In my opinion, trusted devices in a trusted network are a contradiction in itself.

Let me clarify this by an example from daily life.

The moment you are connecting with your company owned laptop across the internet to your company network, you lost the game. Even if you use a VNP tunnel to secure the network connection, your laptop is in a potentially insecure state, since likely infected with malware.

Back in the company network this computers state remains insecure because your malware detection system may not detect the malware. Therefore your company network is compromised as well.

That reminds me of the blockbuster ‘Independence Day’ from 1996. The aliens allowed a fighter jet, that was lost fifty years ago, to dock at the mothership. A trusted device in a trusted network! It was the first and last mistake in their life.

The good news are: This laptop is under your control. You are able to reinstall it with a hopefully not compromised golden image.

But in the hyper connected world of the Internet of Things (IoT) and BYOD most of the devices are not under your control. Moreover, they are in a completely undefined security state, with outdated and unpatched operating systems and applications and insecure SSL certificates for communications. Just a giant black security hole!

To master the challenges of  IoT and BYOD, we have to develop completely new concepts for securing  devices, applications and the communication between the devices and the company network. Trust no one!

In the meanwhile we have to do our best to create awareness for the new threats, and to secure the data in the company network.

By the way, the aliens would have done well to destroy the fighter jet!