Shutting Out Cybercriminals by Making IoT Devices Hard to Hunt
To hunt prey, predators must first scope out the target’s surroundings and everyday activity— something cybercriminals are all too familiar with when it comes to hacking connected/IoT (Internet of Things) devices in the home. While it’s tough to pinpoint which specific devices are the least secure, hackers are clearly targeting a specific segment of products more than others: mass-produced, consumer, seemingly “innocent” gadgets. In the past year alone, we’ve seen attacks on smart teddy bears, doorbells, and even fish tanks. These types of common, everyday household items are primarily designed with convenience or style in mind, while security is often an afterthought. Attacks on IoT devices in the home can not only lead to invasions of personal privacy, but ultimately impact communications service providers (CSPs) and IoT vendor. Picking off the weak In the recent Satori IoT botnet cyber-attack, we have seen a rapid evolution in sophistication of attacks where — instead of run of the mill known vulnerabilities— a zero day attack was used for penetration of IoT devices. The attack managed to “zombify” some 500K-700K Huawei routers, opening them up to be used as the attacker pleases (Botnets, exposing the vendor and household to ransomware crypto-mining and many other exploitations that can benefit the attacker and severely impact both consumer and vendor). In Finland, a DDoS IoT-based attack held several residential complexes hostage without heat until a ransom was paid.
Fighting off the cybercriminals To defend the IoT device herd on the home network in a comprehensive and effective way, service providers should develop a layered security approach that is consumer-friendly yet cost-efficient. This approach should include Customer Premises Equipment (CPE)-based IoT Security, which provides security automated, machine learning based, policies for every connected/IoT device in the household, combined with mechanisms designed to safeguard the CPE and the home network preventing zero day penetration to the CPE and securing against attacks moving laterally within the home network from device to device. The biggest challenge for service providers is to provide an enterprise-grade security solution that protects against the most sophisticated of attacks, yet requires zero knowledge or intervention from the consumer – all while maintaining a sensible consumer price point and a deployment mechanism that facilitates rapid mass distribution and user engagement.
As the volume of connected devices explodes, they become easy prey. Cybercriminals thrive off the increase of vulnerable IoT devices in home networks due to the lax security and potentially high reward when exploited. In order to provide proper protection, service providers, manufacturers, and vendors must provide both preventative and reactive measures across the entire IoT ecosystem. A robust security solution requires a holistic approach and must be delivered through the network. CPE-based IoT security combined with zero day CPE protection and home network security offers an effective, layered approach to tackle the evolving attack surface, and will give savvy service providers an edge over the competition. Every fight brings a challenge, but every challenge brings an opportunity.