IoT Security is Hard, but Simple

If we look back on the cause of some of the recent IoT hacks like Mirai and VPNFilter, securing these types of devices seems like it should be relatively easy. Famous last words, right? IoT does offer some unique challenges such as lower computer power required by lower power and size. However, the big driver in why we see these types of vulnerabilities in IoT is, to borrow a term from Adam Smith, the invisible hand. In the case of IoT, I’m referring to the lowest price possible to add IP connectivity to an everyday device.

Looking at Mirai, the botnet of 600,000 IoT devices was created by simply logging in to machines with default usernames and password. The malware only used a combination of 62 usernames and passwords. This included gems such as root/admin, support/support, root/1234 and so on:

The VPNFilter malware could have been avoided with a simple patch. This begs the question, ‘why do these devices ship with default password and make patching so difficult?’

However, the software on the device accounts for only half of the equation. Look at the debacle with the Cloud Pets leak. Cloud Pets, for those unfamiliar, is an IoT teddy bear that recorded conversations and stored them in the cloud. More precisely in MongoDB, a db on the public internet with no authentication required to access the data. The connected toy was indexed on Shodan, which lead to 2 million recorded voice messages and 800,000 usernames and passwords being stolen. The passwords were stored as a bcrypt hash, and the email address and recorded voice messages being leaked was bad enough.

When it comes to IoT, the whole ecosystem needs to be protected. This means the device, the network and the cloud. NIST has a draft proposal which is 187 pages draft form! Needless to say, this is not an easy problem to solve. To be fair, people have been making software for a very long time, and vulnerabilities still pop up.

While IoT presents a unique challenge, the same approach that is taken with modern applications can be applied to secure 90% of the devices. All this means is securing devices, applying patches, writing good code that filters input and output, ensuring strong authentication and securing the cloud platform.

We have learned these lessons before, and it seems like we are doomed to repeat the same mistakes with IoT. However, by applying the same secure coding principles, and secure deployment principles, you can make sure that you have secure IoT devices. Of course, IoT has more moving parts, but these are problems we have solved before and can be solve again if security tools, techniques and procedures are regularly applied.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.