The Internet of Things (IoT) is becoming a soft target for cyber-attacks. That is according to the 2015 Internet Security Trend report by Nexusguard, an internet and Distributed Denial of Service (DDoS) security product company.
As the internet enters such everyday devices as medical devices, home security systems, TVs, GPS and smart watches, the potential attack surface for DDoS attacks, sometimes combined with infiltration attempts, grows exponentially, according to the firm.
Terrence Gareau, Chief Scientist, Nexusguard, says: “By its very design, the Internet of Things is built with lightweight security. These devices rely heavily on shared libraries and a rapid development cycle. Because of their constraints, many IoT devices have limited options for firmware upgrades and other risk management features. The fact that they are also “always-online” makes them highly susceptible to intrusion and attacks.”
“With the Internet of Things, people are posting personal or commercially sensitive information. It’s a very complex question how people are going to secure that data, especially with increasingly sophisticated attacks. Furthermore, hackers may be incentivized to infect IoT devices and use them as an army for botnet attacks. Additionally, the smokescreen of DDoS attacks used for covering up data exfiltration, market manipulation and extortion, are ever more present.”
And Bill Barry, Executive Vice President, Nexusguard, said: “A single attack can cost an organisation from $52,000 to $52 million from the loss of contracts, damage to reputation, damage to stock price, damage to credit rating and increased insurance premiums. With an ecosystem of still-developing protocols, a mass attack could be devastating to an individual user or an entire enterprise.”
Download the Nexusguard 2015 Internet Security Trend Report at: https://www.nexusguard.com/genius/reports/2015-internet-security-report.php.
Meanwhile the firm has opened offices in London and Singapore as the necessary regional presence to operate Nexusguard’s servcies for businesses. The London office is the first in a planned roll out across Europe. The company points to the high-profile attacks such as against Malaysia Airlines, Sony Pictures, JP Morgan and MasterCard. The industry analyst Gartner recently identified risk-based security and self-protection among their ‘top ten’ strategic technology trends for 2015. Gartner also warned that more DDoS attacks are application-based, and the prevalence of DDoS-for-hire and DIY kits is trending higher. Criminals launching such attacks operate without borders and can strike from any location.
Jolene Lee, Nexusguard’s Chief Executive Officer, said: “The internet offers significant opportunities for organizations that want to thrive and grow in a digital environment, yet the risk of exposure to these types of attacks is more daunting now. DDoS attacks are one of the most financially potent cyber-threats an organisation can face and can shut down operations for days, costing millions of dollars and inflicting an unforgettable scar on a company’s reputation.”
And meanwhile the US-based firm HP released a security testing study that owners of internet-connected home security systems may not be the only ones monitoring their homes. The study found that all of the studied devices used in home security contain significant vulnerabilities, including password security, encryption and authentication issues.
Home security systems, such as video cameras and motion detectors, have gained popularity as they have joined the booming Internet of Things (IoT) market and have grown in convenience. Manufacturers are bringing to market connected security systems that deliver remote monitoring. The network connectivity and access necessary for remote monitoring presents new security concerns that did not exist for the previous generation of systems that have no internet connectivity.
The HP study questions whether connected security devices actually make our homes safer or put them at more risk by providing easier electronic access via insecure IoT products. HP used its Fortify on Demand product to assess ten home security IoT devices with their cloud and mobile application components, uncovering that none of the systems required the use of a strong password and all the systems failed to offer two-factor authentication. The most common and easily addressable security issues reported include:
· Insufficient authorisation: All systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.
· Insecure interfaces: All cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.
· Privacy concerns: All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern.
· Lack of transport encryption: While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks (eg POODLE attack). The importance of properly configured transport encryption is especially important since security is a primary function of these systems.
Jason Schmitt, vice president and general manager, Fortify, Enterprise Security Products (@HPsecurity), HP, said: “As we continue to embrace the convenience and availability of connected devices, we must understand how vulnerable they could make our homes and families. With ten of the top security systems lacking fundamental security features, consumers must be diligent about adopting simple and practical security measures when they’re available, and device manufacturers must take ownership in building security into their products to avoid exposing their customers unknowingly to serious threats.” Visit hp.com/go/fortifyresearch/iot.
