M2M Platforms

IoT & the Cheshire Cat Syndrome: The New Face of Security Threats

NEW YORK -- Service Provider & Enterprise Security Strategies -- IoT malware attacks are likely to get more sophisticated and targeted as hackers learn from major events like the Mirai malware attack that took down Internet connectivity across the Eastern seaboard in October.

The Mirai attack was a major topic of conversation at Light Reading's security show in New York Thursday. In case you've forgotten, in October hackers used webcams and other Internet of Things (IoT) devices to marshal a wave of distributed denial-of-service (DDoS) attacks against Dyn, a company that manages Internet domain name hosting services. This, in turn, took down prominent websites like Twitter and Spotify, amongst others, for hours on the East Coast of the US.(See Attacks Have Major Internet Sites on the Ropes.)

It emerged that the hackers had taken advantage of default passwords used in devices like webcams. In fact, the Chinese vendor, Hangzhou Xiongmai, issued a recall for its webcams after the attack. (See When IoT Attacks! Cams Caused Huge Internet Outage.)

Our panelists said that they are expecting such attacks to get more powerful and evolved in the coming year. Hackers "will look for the easiest way to penetrate the networks with the most impact," said Galina Pildush, a consulting engineer at Palo Alto Networks Inc.

In fact, Deutsche Telekom AG (NYSE: DT) saw -- and shut down -- a similar attack that tried to infect customer routers with malware this week. Heavy Reading chief analyst Patrick Donegan suggested on the panel that this indicated that the threat level is "way up" if the carrier security mavens at DT got hit "with a sting like that." (See Eurobites: Deutsche Telekom Repels Malware Attack on Customers' Routers.)

"Our adversaries are better organized than we are on this side of the fence," acknowledged Jonathon Nguyen-Duy, vice president of strategic programs at Fortinet Inc.

"The outlook for nailing them is not that great, at least in the early stages," noted Chris Novak, director of the RISK team at Verizon Enterprise Solutions , during the session.

Is security your business? Click on Light Reading's security channel for all of the latest developments in this area.

The problem, as ever with security, is that the threat is constantly evolving, with dozens of variants of the Mirai malware arriving over the last month. "The variant word is key there," said Jason Boswell, head of security, IT and consulting for Ericsson. "It's not necessarily copycatting, it's more of a Cheshire catting."

There was also debate among the panelists about the best way to deal with these new and increasing threats. "The only way you can provide security is in the network, in the ecosystem itself," said Fortinet's Nguyen-Duy.

"It is really up to the carriers and network operators to defend their networks themselves... and that's not new," suggested Pieter Veenstra, senior product manager at NetNumber Inc.

Ericsson's Boswell suggests that industry standards bodies and trade groups need to work with vendors to persuade them to build better security measures into IoT devices. "Ninety percent of the ecosystem is not implementing that because of the race to market," he said.

Palo Alto's Pildush said everyone needs to take some responsibility for security and also won the best metaphor of the show award, saying that customers, vendors and operators were like three elephants balancing a sphere in security terms.

All panelists, however, agreed that the mass-market arrival of millions of IoT devices will signal a new wave of security threats. The Dyn attack, it was suggested, could have ended up being far more serious than was originally intended.

Now the cat is out of the bag about IoT-fueled DDoS attacks, though. "The next ones that we'll see will be very intentional and targeted," said Ericsson's Boswell.

— Dan Jones, Mobile Editor, Light Reading

COMMENTS Add Comment
kq4ym 12/17/2016 | 4:22:52 PM
Re: Default passwords The password solution would seem to be the quickest way but it's not going to be a problem going away soon as 90 percent don't have any security in those IoT devicess and it should be imperitive to persuade those vendors to to build better security measures into IoT devices.
Alison_ Diana 12/9/2016 | 4:12:50 PM
Default passwords I wonder whether it's better to do away all together with the default passwords many devices ship with? So a customer or service provider installs the device and it won't work until the user or network engineer has created a strong password (one that meets all criteria a device vendor demands - including symbols, numbers, capital letter, etc.). Or is the fear that a few vendors won't make people jump through that hoop and they'll get the business, just because it's easier (albeit totally insecure)?
Sign In