Keep IoT security under close surveillance
Matt Walmsley, Vectra Networks
The growth of the Internet of Things (IoT) has seen substantial momentum in the last two years. With Gartner predicting that 21 billion active devices will be in use by 2020, and massive growth in wearable, non-computing devices and business to business (B2B) IoT technology, the prospects for the sector are extremely healthy, writes Matt Walmsley, the EMEA director of Vectra Networks.
One subset of the IoT that has seen substantial growth is internet-enabled surveillance cameras. According to researchers MarketsandMarkets, the value of the video surveillance applications market will grow to $25.5 billion by the end of 2016. IP cameras are selling well for consumer and business uses. Everything from keeping an eye on the kids, the nanny and the wildlife in the garden, through to monitoring shops, offices and car parks will be possible.
While standalone IP-enabled cameras represent a growth area for IoT, they also represent a potentially serious security risk for any network they are attached to. IoT is not only bringing far more devices into the network, but these devices very rarely get patches and updates. This means that vulnerabilities can be left unaddressed for months or even years. Likewise, these devices are unlikely to be protected by traditional signature based defenses and will almost certainly be unable to run client-based end-point security solutions.
If IP-enabled camera software and firmware is not regularly updated to address known vulnerabilities then they are left open to exploitation. One major concern about the explosion in IoT embedded devices is whether manufacturers will raise their game and support the embedded software side of things as long and as vigorously as, say, a PC operating system vendor does.
We must not forget that these devices are basically mini computers and have a significantly longer working life. Therefore, they need the same level of oversight and on-going vulnerability maintenance afforded to any other computing device. With limited storage and memory, it is seldom viable to embed anti-virus technology or advanced firewalls into the devices themselves, so the wider network needs to be robust enough to protect them from outsider threats.
To illustrate the potential risks, a Vectra Networks Threat Labs researcher hacked a domestic, off-the-shelf Wi-Fi camera to prove the point. The readily-available $30 camera had vulnerabilities that the researcher was able to identify and then exploit in order to breach the unit and reprogramme it to be both a camera and a network proxy gateway, allowing unrestricted access into and out of the network it was attached to.
In a purely consumer environment, this immediately throws up major privacy and potential child safety concerns, as well as network security issues. In a business context, the situation is further amplified. Not only are digital assets, resources and users in the camera’s environment potentially at risk – as the camera owner can no longer ensure that privacy is maintained, but that camera is now a permanent back door into the network, allowing the hacker to come and go as they please, with free access to the network the camera is attached to.
That hacker could sit on that network and gather traffic for a prolonged period of time, harvesting high-value data. Or they might use the camera as a means to orchestrate more developed internal attacks to delete, modify or steal useful data from storage and application servers.
Other consumer-grade IoT products like this camera can be hacked and reprogrammed in a similar manner. For example, Vectra Networks researchers also recently performed an in-depth analysis of vulnerabilities found in a common Belkin wireless repeater, which could also be compromised in a similar way by an external entity.
IoT opens the door to many new, innovative ways to create value and services across the internet. At the same time IoT also exponentially increases an organisation’s attack surface. This is why organisations that embrace the IoT need to supplement traditional security with behavior-based models of threat detection. It’s fast becoming the best way to detect an active threat or attack regardless of the type of device that was first infected.
Using behaviour-based analysis, if any of these devices begin scanning the network, spreading malware or creating covert connections out to hacker sites to funnel data, that activity immediately generates alerts. Behavior-based threat detection can deliver network-wide unified security without the bottle-neck of out-of-date threat databases, which is something that signature-based security solutions alone cannot achieve.
Stopping every unknown exploit against a non-PC device is impossible. Devices such as Wi-Fi access points, heating controllers, cameras, vending machines, or any of the thousands of other B2B and consumer devices on the growing IoT market pose a potential IT security threat. It is not realistic to profile all of these devices or create signatures for normal and abnormal activity.