How IoT can compromise network integrity

The IoT (Internet of Things) is shaking up the networking space and paving the way for machine-to-machine (M2M) communication and automated processes. From connected cars and smart homes to remote surgery and robotics – the opportunity and potential is endless.

Recent figures indicate that there are an estimated 8.4 billion IoT devices in use, and the number is expected to reach over 20 billion by 2020. Today, IoT encompasses a vast technological umbrella and its deployment comes in many flavors. Chief among them are the managed use cases of Industrial Internet of Things (IIoT), and the unmanaged use cases of Consumer Internet of Things (CIoT).

Although IIoT can appear forbiddingly complex, security management is in fact easily achievable. The key here is a solution that controls the traffic stream between devices and the application(s), guaranteeing best-in-class service and ensuring protocol conformity.  It is also crucial to secure communications via cryptography (TLS) and stateful security services (policing and vulnerability protection).

A key IIoT deployment challenge is the changing characteristics of traffic metrics. IIoT devices are massive in number, sessions are long (months or even years), and traffic volume is usually very low. Terminating idling sessions is not always an option. Indeed, the ‘always-on’ nature of some applications may result in a traffic storm within the network.

CIoT devices, which are usually unmanaged, include things like CCTV cameras, intelligent speaker systems, and wearables. When sitting behind a mobile broadband or fixed line subscriber CPE, it can be difficult to identify such devices in the network as communication relationships are not clearly defined.

The problem is accentuated by the fact that many smart devices are built on inexpensive chipsets that provide the networking protocol stack and, occasionally, an application layer. Manufacturers often avoid providing patches and sometimes even wash their hands of all responsibility once the device ships. This can cause significant disruption. According to the latest Threat Intelligence Report by F5 Labs, Europe is already a hotspot for Thingbots, which are built exclusively from IoT devices and are fast becoming the cyberweapon delivery system of choice for ambitious botnet-building attackers.

F5 Labs reported 30.6 million global Thingbot attacks between 1 January and 30 June 2017 harnessing devices using Telnet, a network protocol providing a command line interface for communicating with a device. This represents a 280% increase from the previous reporting period of 1 July to 31 December 2016. Hosting providers represented 44% of the top 50 attacking IP addresses, with 56% stemming from ISP/telecom sources.

Despite the surge, attack activities do not equate to the size of key Thingbot culprits Mirai and Persirai. 93% of attacks during F5’s reporting period occurred in January and February, with activity declining from March to June. This could indicate that new attacks are on the horizon as attackers move from “recon” to “build only” phase.

Unfortunately, we will continue to see massive Thingbots being built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers who simply refuse to purchase such vulnerable devices.

Against this backdrop, service providers are challenged with not only identifying infection activities but also mitigating outbound DoS attacks.

Traditional Layer 3 and 4 firewall rules are not as much help anymore. Robust behavioral analysis of traffic is now essential. This way, security devices learn the “normal” network baseline over time. Once a deviation is detected, a variety of activities are initiated. These could include creating an alert, which would trigger a manual mitigation process after human verification, or creating a dynamic signature for existing mitigation technologies to block detected anomalies.

Self-defending networks are integral to tomorrow's security architecture. In the meantime, responsible organizations can do their best to protect themselves by having a DDoS strategy in place, ensuring redundancy for critical services, and implementing credential stuffing solutions. It is also important to continually educate employees about the potential dangers of IoT devices and how to use them safely.