Securing the IoT in your smart home and your connected enterprise

Sometimes your toaster is to blame. In October last year, devices from home routers to connected thermostats and toasters were used in a huge cyber attack that disrupted many websites, including Twitter, Netflix, Reddit and Spotify.

The hackers launched a distributed denial of service attack (DDoS) on the servers of the web technology provider Dyn, a major DNS (domain name system) host – in other words, a web ‘reference book’ that directs users to the internet address where the site is stored. They did it by first getting into over 100,000 internet-connected home devices, using malware called Mirai. How could that happen? Simple: these very ‘smart’ home devices didn’t have any smart passwords or other software to protect them, which was an open invitation for hackers to play around. Mirai made the devices chuck junk traffic at targeted websites, until these could no longer accommodate legitimate users.

“Anything that is using a default password, not being patched properly, and is openly accessible to the internet is vulnerable. The bad guys don’t care particularly what it is, unless they have a specific target in mind,” says independent security expert Graham Cluley.

The Internet of Things (IoT) is on everyone’s mind, paving the way for the seemingly endless possibilities of the connected world. For consumers, the IoT is about simplifying our lives, from adjusting the temperature when we are at home to warning us early when there’s a water leak. The Industrial Internet of Things, for its part, is expected to dramatically boost productivity, keep tabs on every machine in the manufacturing process, spot logistics problems early, and fix them on the fly.

There’s just one problem: all these great advantages may come to nought because of the vulnerabilities of the digital space and the constant threat of cyber attacks.

Experts estimate that by 2020 the number of connected devices will hit between 30 and 60 billion. Anything that has sensors, has some computing power and connectivity (whether Wi-Fi, Bluetooth, Zigbee, 5G or any other such standard) falls into this category: from Barbie dolls to smart fridges to medical equipment to large-scale manufacturing machinery. As connected things multiply, the risk of hacking attacks increases.

“The move towards connecting industrial control systems to the internet creates a huge challenge as hardware designed with a life-cycle of 30-40 years is being connected to digital technology and services with a lifetime of only four to five years, where threats are continuously evolving,” says Sian John, EMEA chief strategist at online security firm Symantec.

Cyber criminals are indeed getting ever more crafty, creating increasingly sophisticated and customised pieces of malware that are programmed to monitor and control not just desktop computers and mobile devices, but large industrial-scale facilities, adds John. “This allows them to take control of systems without leaving a trace,” she says. “Malware such as Stuxnet and Dragonfly, for example, have previously demonstrated the scale and impact malware might have on an industrial scale.” Stuxnet was the malicious computer program that found its way into a nuclear reprocessing plant in Iran in 2009 and took control of 1,000 centrifuges linked to the production of weapons-grade nuclear material, and instructed them to effectively self-destruct.

A bit over a year ago, a steel plant in Germany failed to shut down properly, resulting in damage worth millions of euros; malware inserted into the control system was blamed for the incident.

In the United States, a small hydraulic dam malfunctioned following a hacking attack; insiders blamed a “foreign actor” for the problem and speculated that they might have mistaken it for a much larger infrastructure target with a similar-sounding name.

Sometimes, it seems to be shockingly easy to crack a system and get into the controls. In the summer of 2015 Charlie Miller and Chris Valasek, a pair of security researchers, demonstrated that it didn’t take much to remotely hack into a moving 2014 Jeep Cherokee, disabling its transmission and brakes. The hack forced Fiat Chrysler to recall 1.4 million cars.

Later that year, other researchers revealed vulnerabilities in the all-electric Tesla Model S, which would have allowed hackers to connect their laptops to the car’s network cable behind the dashboard, and drive off with a simple software command. They also showed how to plant a remote-access Trojan on the vehicle’s internal network to later remotely cut the engine while it was en route.

In yet another demonstration, security researcher Samy Kamkar showed how a small device called OwnStar could be planted on a GM car to hack into the flow of data from a driver’s OnStar smartphone app, geolocate the vehicle, unlock it and turn on its engine.

As the industrial incidents and the demonstrations of hacking prowess show, anything that’s connected to the internet can be hacked and manipulated remotely, just like your personal computer. Last October’s attack, using toasters and other smart home devices, played out in exactly the way that researchers had predicted it could.

In most cases, the number one issue is lousy and insecure programming, combined with the use of easy-to-guess usernames and passwords. If you don’t change the password set by the device manufacturer and fail to update and apply patches to the software, you might just as well paint a big target on your company’s front door. Criminals will be able to hack your devices by finding the default passwords online and by exploiting known vulnerabilities. It doesn’t really matter what these smart devices are – even VoIP phones and smart lightbulbs pose a risk to the security of homes and organisations.

Once in, the hackers harness a gadget’s processing power for specific attacks, such as data theft, espionage on enterprise activities, or causing actual physical damage. If they break into, say, a smart thermostat and tamper with your company’s internal temperature settings, they may force specific areas such as server rooms to overheat, leading to physical damage. They could also turn off security cameras, unlock doors and invite themselves in – physically.

In November 2016, just days after the Mirai DDoS attack, the US Department of Homeland Security released strategic principles for the IoT, with the aim of guiding manufacturers to build more secure devices. But at this stage, the principles are neither regulatory nor binding.

At enterprises, digital systems tend to be in use 24/7, so planned downtimes are the only opportunity for installing updates and patching security vulnerabilities, says John at Symantec. So it’s important to lock down any exposed control systems such as SCADA (supervisory control and data acquisition) to prevent malicious use, profile network traffic to detect anomalous behaviour and ensure that the system is configured in a secure way. “Any engineering laptops or devices that are used in the environment should run the latest endpoint security software and be controlled to prevent them from being used to infiltrate malware into the industrial control networks,” she adds.

Of course, there are other, more obvious but crucial steps you can take to secure your now-digital infrastructure. “Only make accessible to the internet those devices which ‘need’ to be accessible, disabling or controlling access to remote management where possible,” says Cluley. Change the default passwords used to access your IoT devices remotely, he adds, enable authentication checks, and apply any security patches that are available. “If you haven’t got permission from your IT department, avoid connecting smart devices to the office network. This is a huge shadow IT concern, which could lead to major ramifications if an issue arose. Monitor attempts to grab unauthorised control and look for suspicious network traffic.”

Another weak link in an enterprise is internet-connected 3D printers, which would be prime targets for industrial sabotage. Just envisage a car maker that uses 3D printers to make parts; a hacker could break into the system and add barely detectable defects into the manufacturing process, an act that would only manifest itself when it’s way too late, warned a team of cybersecurity and materials engineers at the NYU Tandon School of Engineering in a recent report.

Deliberately introduced 3D-printing defects could lead to products that handle less strain and break easily – an extremely dangerous scenario for parts used in a car or an aircraft. For a few years now, the aircraft industry has been using 3D printers to create replacement parts, so the risk is not abstract. “3D printers have gone a long way and are used to print, in the field, critical parts for airplanes, cars, and so on,” says Jacques-Edouard Guillemot of Kudelski Group’s Internet of Things Security Center of Excellence. “A hacker could induce slight modification in the data used to print the part and thus make it more prone to fail or simply straight out unusable. The question is not if it will happen, but when.”

The researchers also warn that hackers could target the orientation of the product during printing, which can change the product’s strength by as much as 25 per cent. Since CAD files do not give instructions for printer head orientation, hackers could change the process without detection. “With the growth of cloud-based decentralised production, environments enabled by the unique flexibility of additive manufacturing, it is critical that all entities within the [additive manufacturing] supply chain be aware of the unique challenges presented to avoid significant risk to the reliability of the product,” write the researchers at the Tandong School of Engineering.

Take the design files sent to 3D printers: a hacking attack can easily compromise a company’s intellectual property. To prevent breaches like that, researchers say manufacturers should encrypt all their design files and, ideally, disconnect their 3D printers from the internet. Ultimately, companies will have to strike a balance between exploiting the huge potential of the Internet of Things and keeping themselves – and their customers – secure.