F5 Networks, the long-standing networking and application services vendor, recently released the latest in a series of reports tracking the Internet of Things (IoT) security landscape; it makes for a fascinating, and worrying, read. It’s clear the pervasiveness of these internet connected devices means they are becoming integral in many critical parts of our infrastructure, and it is only going to continue to grow.
According the F5 Networks report, IoT devices are now the #1 attack target on the internet, and telecom companies and hosting providers are the organisations most under attack. Geographically, Spain was the country that suffered the most attacks – with 80% of attacks in the monitored period (it has been #1 for the last 18 months) while Brazil was the top attacking country – followed by China, Japan, Poland, and the USA. Interestingly, the attacks hitting Spain were also seen hitting other countries around the world, indicating that rather than Spain being a specific target, there is simply an IoT security issue among Spanish devices and networks.
Internet of Things devices hugely increase your organisation’s “attack footprint” – meaning more areas are exposed to the outside world, and potentially attack. No longer can one concentrate solely on “computers” as, with IoT, almost everything is a computer. For example, the digital displays used to display flight information at Bristol Airport were compromised and ransomware was installed. Bristol Airport chose not to pay the ransom but had to use manual methods for 2 days while normality was restored. Could a larger airport have taken the same course of action? Probably not.
Many compromised devices are used to create “Thingbots”, an IoT version of a Botnet –100s or 1000s of devices being used together to launch Distributed Denial of Service (DDoS) attacks, spread malware such as Mirai and, as we’ve already seen in Bristol, install ransomware. Other uses for compromised IoT devices include:
Another possibility is these devices being targeted for terrorist/warfare purposes, particularly within fields such as energy, water, pharmaceuticals etc. A great real-world example is that of the Stuxnet virus, believed to have been created to target Iran’s nuclear weapon program. Researchers believe the malware was used to change the speed of uranium-enriching centrifuges until they were destroyed. Almost 1,000 centrifuges were removed from the program, significantly slowing progress towards their goal.
For IT asset managers in certain industries, this kind of threat must seriously be considered when deploying and managing assets, particularly Internet of Things devices. The more ways into your environment, the more problems you’re likely to experience – especially when those ways in are poorly built and difficult to manage. A common attack vector is IoT devices using the default, built-in admin credentials, many of which are extremely basic. F5 show the top 5 attacked credentials are:
which, as F5 put it, “should never be default credentials to begin with” – 88% of the top 50 attacked credentials had the same username and password!
F5 have also seen attack traffic coming from a Keurig coffee maker, which shows how wide the definition of “IT Asset” is becoming as we move into 2019 and beyond.
Yes – but isn’t security intrinsically linked with ITAM?
A key part of managing an asset is ensuring it is secure…if a building manager left the doors hanging off their hinges, there would be problems. Even if there was a separate “door upkeep” team, the expectation would surely be for the two to work closely together – just as ITAM and security teams should.
At some point, it will probably become critical that your organisation can locate every single IoT device it has – perhaps to issue an emergency patch, or change the login details, or to shut them down pro-actively – or something else. Whatever the reason, ITAM is best placed to have the tools and know-how to generate that data. Get involved now – make sure the business understands the risks of IoT, and work with your security teams to put a plan in place before it’s too late.
F5 Threat Intelligence Report – https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot–multi-purpose-attack-thingbots-threaten-intern
Bristol Airport – https://www.infosecurity-magazine.com/news/bristol-airport-hit-by-ransomware/
Bristol Airport on BBC – https://www.bbc.co.uk/news/uk-england-bristol-45539841
Stuxnet and Iran – https://isis-online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf