The business risks from cyber-attacks using Internet of Things devices are high. They are eased by keeping IoT devices on a separate Internet network, making sure they have strong passwords, and checking they are not attacking others.
"For businesses, having insecure IoT devices linked to business computer systems is a significant concern."
The Internet is used to connect more and more parts of our lives. More and more things now have small computers in them and are connected to the Internet.
Use your phone to turn the air-conditioning on or the oven? Have the fridge notice that you are short of milk and add it to your online order? Unexpected visitors? Have your online camera immediately beam a message and video to your phone or computer.
Mislaid your wallet? Have your phone tell you where it is. Worried you didn’t lock the door or left the cooker on? Check them from your phone or computer and lock them or turn the stove off.
All of these are enabled through tiny internet-connected computers in everyday things - things such as cameras, fridges, cookers, locks...Hence the name, the ‘Internet of Things’ (or IoT).
- What has this to do with business security? A lot.
- Is it a new major path for cyber-crime? Yes.
- Can it result in significant business losses or business collapse? Yes.
- Is it possible to secure against it with conventional cyber-security methods? No.
Example: Cyber -attack on dynDNS, PayPal, Amazon, Spotify, Twitter….. using the Internet of Things
Recently, a large number of major companies including PayPal, Amazon, Spotify and Twitter (and many others) were temporarily shut down by a cyber-attack using the Internet of Things. This also meant that many other companies using, e.g. PayPal for transactions were also unable to sell things. The effect has been a combination of direct financial losses from lack of sales and the costs of fixing things, and indirect business losses of reputation, usability, status etc. All these losses cascading from large enterprises to small businesses.
Currently, there is some discussion as to who was responsible and why the attack occurred. Technically, the attack was a denial of service attack on the company dynDNS who provide DNS services to a large proportion of the world’s large and small businesses. The attack used a large botnet of Internet of Things devices: mainly Internet connected cameras using the recently released (and now publicly available) Mirai malware. This followed the release of the source code for Bashlite, a less sophisticated malware. See the links below for more details.
Why this IoT cyber-attack is important for managers?
This attack is important for managers to consider because it occurred and because it was effective.
- The Internet of Things can be easily used in cyber-attacks on businesses
- It was relatively easy for the attacker to insert malware on devices inside businesses networks
- Conventional cyber-security could not block the malware
- The Internet of Things devices themselves are not secure. There is almost zero cyber protection inside Internet of Things devices to stop them being used for cyber-attacks both inside and outside a business’s computer network.
- It revealed how easily and quickly the code for IoT attacks can be distributed among bad actors and applied against businesses
The malware inserted onto the massive collection of of Internet of Things devices all over the world was used externally to attack the servers of the dynDNS company. This then affected many other companies and took offline large companies such as PayPal, Spotify and Twitter
IoT malware can be written in many ways. It can just as easily be made so the IoT devices in a business attack the computers inside that business – especially if they are on the same computer network.
Is this a new and increasing business risk?
Yes. Businesses will have more and more Internet of Things devices connected to their computer networks. It is expected many many more things in our lives will have a computerised aspect to them (mugs that show how hot your coffee is and warm it to taste are already available!).
The malware for using IoT attacks is in its infancy. The malware can automatically find insecure Internet of Things products in your business and home, and the cyber-protection is currently almost non-existent.
Internal IoT cyber-attacks directly create business losses
The recent IoT cyber-attack on dynDNS and consequently PayPal, Amazon, Twitter and others is an example of an EXTERNAL attack. Those who suffered the cyber-attack were external to those who owned the IoT devices that were used for the attack. The effect of external attacks ON your business can be catastrophic.
For external attacks that your IoT devices make on others, your potential business losses are likely small. It might possibly affect your business reputation. However, it is highly unlikely there could be a claim of financial liability for facilitating the attacks on others.
The major business loss risk is from INTERNAL IoT cyber-attacks. These are the potential cyber-attacks on your business computers by your IoT devices. It is as easy to write IoT malware that can deliver cyber-attacks to your business systems and computers – with all the same consequences as any other form of malware or ransom-ware on your computers.
With IoT devices, cyber-attackers have an advantage. Typically IoT devices are already inside the business’s Internet firewall.
Like a cyber ‘Trojan horse’, this means IoT devices can create potentially any form of cyber-attack on a business (think passwords, client data, confidential information, intellectual property, banking details….) with all associated direct and indirect business losses.
In addition, INTERNAL attacks can be used to disable your business. As IoT devices increasingly manage the physical aspects of a business environment, each IoT device can be used to attack others that manage critical business functions
Practical: How can you protect your business and minimise losses?
There are simple and more complicated ways to protect against the risks from Internet of Things malware. The primary ways forward are to:
- Change the passwords on all IoT devices from the default password to a secure password
- Keep all IoT devices separate from your business computer network.
- Implement the usual cyberloss-reducing business processes – see other Boss-Gram Newsletters for details!
The simplest way to keep IoT devices separate from your other business computers is to rent an additional Internet line and create a completely separate IoT wireless network. This reduces your risks of attacks internally, but does not reduce the risks of your IoT devices being used to attack others.
Putting IoT devices on a separate network also offers the benefits of being able to cut all IoT devices from the Internet without affecting the main business computer systems and business processes.
A more technical alternative is to ensure there is a strong firewall inside your network between the IoT devices and your business computer systems. The weaknesses of this approach are that some IoT devices need holes in the firewall to operate; it is relatively difficult (and expensive) to ensure the firewall is kept secure; and firewalls are themselves a focus of attack for IoT malware. Using a complex firewall to separate your IoT devices from your business computers again reduces your risks of attacks internally, but does not reduce the risks of your IoT devices being used to attack others.
To protect against your IoT devices being used in an external attack on others requires some form of monitoring of what they are doing on your network. Currently, this requires high level technical attention although new devices are emerging to address this.
The underlying problem of IoT security
There is a deep underlying problem of security of the Internet of Things devices. Bruce Schneier, one of the world’s foremost computer security experts, has argued is neither of the groups with the power to secure them has an interest in doing so. Currently, product manufacturers have no interest in securing their IoT products. Their primary focus is on increasing their profit by using added computer-based features to sell more products. On the other side, consumers have little interest in securing their IoT devices (for example by changing the passwords). They are interested in how cheap they are and have little reason to be concerned about ensuring their devices are not used in attacks on others. This is a classic externalities problem – the consequences are external to those who can most influence the outcomes. Schneier suggests the only way forward is via government legislation to ensure that IoT devices are secure.
For businesses, the prospect of having insecure IoT devices linked to business computer systems is a significant concern. The risks are high and the problem is most easily solved by keeping IoT devices on a separate Internet network, making sure they have strong passwords, and checking that they are not attacking others.
- Put IoT devices on a different computer network to business computers (simplest and possibly cheapest is to put them on a different Internet line).
- Change the default passwords of all IoT devices and make them seriously secure passwords (and even then this is insufficient).
- When it becomes possible, identify whether IoT devices have malware and/or are attacking others. Have a way to easily disconnect them from the Internet (having them on a different Internet line makes this easier).
- Use new generation security devices when they become available (and well tested!).
Dr Terence Love
Design Out Crime and CPTED Centre