Some weeks ago, my friend asked me the headlining question while we were having a random argument about electronics. I found it to be an interesting one, particularly because it underlines the current mindset towards security of electronic devices communicable over computer networks.
We are surrounded by devices in the Internet of Things ecosystem everywhere we go: TVs, cameras, thermostats, watches, and clocks are all connected. In fact, pretty much anything with the ability to communicate data over a network fits into the category. However, while we get excited about the growing selection, we should not forget what they are; devices on the internet that have as much of a chance of being overtaken by criminals as traditional hardware like laptop and desktop computers. If there is one thing I've learned over the years, and especially my time at Akamai, it is that no device can be trusted. Also, in the last few years, we have learned IoT devices are not secure. Many are riddled with weaknesses such as default login credentials and fixed firmware credentials and this has enabled the devices to contribute to the sophistication of cyber attacks today. Terabytes of data emanating from IoT devices were used to make resources at DYN and OVH unavailable. As revealed in Leading the IoT, Gartner Insights on How to Lead in a Connected World, it is expected there will be over 20 billion "internet-connected things" by 2020. This means, cybercriminals can be like kids in a candy store, except the candy is your unsecured information living on IoT devices.
Back to my friend's scenario: it's a typical Monday morning and she's just turned on her TV to monitor the activities of the shipping department on the ground floor of her office building. Unbeknownst to her, her TV is concurrently transmitting sensitive data, including personally identifiable information (PII) to a server in Europe. How is this possible? Through malware. Her device was infected with a malicious software code containing instructions on how to construct information packets, where to send the data, how often it should be sent, and more. Her attacker (like many others in similar situations) has found a way to avoid detection from traditional security solutions like antivirus and firewalls by using email and web traffic, and has used phishing to distribute the malware.
Phishing efforts can range from campaigns that work in large volume to targeted schemes (a.k.a. spear-phishing or whaling). With just one click on a bad link, malware can take up residence on the device within seconds. Once the malware is on a device, it's next objective is to inform the attacker of the device location ("phone home") and await instructions. One of which could be "go forth and multiply," the action of looking for other devices and infecting them (such as TV sets with default login credentials).
In my friend's case, let's say the person behind the attack set up command and control servers hidden throughout the internet, and their malware uses DNS to locate them. This person also designed the malware to exfiltrate sensitive data using the DNS protocol. Let's also say, while at work, my friend clicked on a phishing link in her email, inadvertently downloaded malware, and the malware was instructed to look for any device on the network and infect it. The infected device continuously received these instructions until there were no more devices left to infect.
By this point, she is surrounded by an army of infected devices (bots), one of which is her TV. That TV could become a designated exfiltrator, gaining sensitive information, such as credit card numbers and transmitting them to the command and control servers. Another TV can be designated to transmit her internal employee personal information. Yet another device can transmit asset information and location, while even more devices can be used to distract her security team by sending false alarms regarding functionality. In other cases, sometimes no devices exfiltrate data, but instead act together (as a botnet) used to overwhelm resources of a web server.
With the rise in cyber attacks using IoT devices like the example given about my friend, it has become imperative to not only recognize that unsecured IoT devices have huge cost implications for companies (as they can serve as points for attackers to extract Intellectual Property and customer information), but also to include DNS in the security checklist. It's clear that most malware includes the DNS layer in its workflow. Working to stop the activity at that layer, in addition to other layers of the network stack, is beneficial. It prevents communication between the infected device and the command and control server by blocking knowledge of the server location from reaching the infected device. The infected device is then unable to establish network connectivity to the server.
Clearly, IoT malware can no longer be overlooked or its presence understated. Mirai, Satori, Hajime, Reaper, Amnesia and IoTroop are just some of the growing number of IoT malware available today. Enterprises, even more so than singular households, need a resilient and reliable solution that protects their IoT devices from these types of threats while complementing their existing security infrastructure. They need a solution that easily identifies both known or potentially harmful domains, and blocks exposure to them by leveraging a plethora of blacklist data feeds and algorithms to enable detection of threats using Domain Generation Algorithms or Fast Flux or even data exfiltration using DNS. Access to substantial amount of internet traffic, including DNS data should be inherent in the solution. All of this would ensure that the TV in question performs the responsibility it was originally acquired for. In response to my friend: Smart enough to cause trouble!
Want to avoid her fate? Check out Akamai ETP.