There is no Internet of Things. It’s all the Internet of Things.
April 2017, CCTV, Surveillance & Remote Monitoring
With the Internet of Things (IoT) becoming a hot topic in the media and cyber attacks being launched through security equipment, such as with the Mirai botnet, the physical security industry is receiving a baptism of fire into the world of cybersecurity. Just as the shoemaker’s kids are the ones without shoes, it seems the physical security industry is the one without security.
Users hold some of the responsibility for insisting and ensuring their installations are secured, but they have other priorities as well, so the integrators are the ones who need to keep abreast with what’s happening in the market and best security practices – both cyber and physical. The manufacturers also have a responsibility to design systems with security in mind.
Obviously that is not happening right now. In the week of writing this article, vulnerabilities in over six camera brands have been made public. Some severe, others not too bad, but all are at risk. To be fair to some companies, there are those who have made cybersecurity a priority – as you will see in this publication. But others seem to be lagging. So what’s to be done?
Perhaps it’s worth starting at the beginning and asking whether these cyber problems are the way of the future? Will cyber security be part of the surveillance manufacturer’s skill set going forward in order to prevent incidents such as those caused by Mirai?
Gerhard Furter, head of innovation at Naxian explains that Mirai was the first public revelation of something that engineers have known for quite a while, that the openness of IoT brings with it a tax, as all technology does.
“I refer to it, egotistically, as Furter’s Law of Security: Security is inversely proportionate to convenience. The more convenient, or easy, it is to use a system, the greater the sacrifice in security,” Furter says. “As an example, the market requires that it be very easy to install a new lighting controller in a normal home. The easiest way to do so is to not issue the device with a password or to use a user-friendly default password, as a sophisticated password will require some technical knowledge on the user’s side, with an accompanying setup and configuration process – not exactly plug-and-play.”
This, he says, is exactly the vulnerability that Mirai and its numerous new offspring are now exploiting. On the positive side, Furter says it also acted as a wake-up call and he anticipates we will now find decently engineered IoT products with a balance between security and convenience hitting the market.
“At Naxian we’re already conducting new, aggressive R&D to address this specific issue. Synapse (www.securitysa.com/8723a) will now take the hassle of setting up secure IoT networks away from the user and into the realm of automation, or plug-and-play. Our platform will allow an unskilled user to buy a secure end device and install it, without the hassle of knowing how to set it up in detail.”
Check Point Software’s country manager, Doros Hadjizenonos extends the bad news a bit further, noting that Mirai was just one type of possible IoT attack. “There are many different attack methods that hackers can use to target IoT devices and the services that are linked to them. Attacks can vary from using IoT devices as launch pads, to getting data from the devices, to actually controlling the device. Unfortunately, there is no single solution to cover the continually evolving attack methods that hackers use.
“In the case of Mirai,” he continues, “it wasn’t necessarily the users of the IoT devices that were affected, but the organisations whose websites were targeted through these devices and suffered denial of service (DDoS) downtime. The security response in this instance would be different than if these Internet-connected cameras were hacked with the purpose of accessing the video of that camera, in which case it becomes the user’s problem and an issue of privacy.”
Hadjizenonos believes that in future we are likely to see more Denial of Service attacks and those attacks will use different launch pads, which could be PCs, mobile devices or all kinds of IoT devices. “The attackers will choose the launch pad that is the easiest to access and gives them the widest reach. The more launch pads they have, the bigger and more distributed the attack.”
As is often the case, the security industry has solutions for many of the attacks, but these need to be implemented and maintained. To achieve this, he says there needs to be cooperation between multiple parties – governments, telecommunications operators, device manufacturers, businesses and the public – it’s not just up to the security industry.
Closer to the security home. PinnSec’s MJ Oosthuizen, who has many years’ experience in the industry, says it all starts with a proper design of where your device(s) will be ‘sitting’ on the internet. “Many users go the easy route to set their devices up without proper firewall rules or even having a firewall available. Variants of the Mirai botnet will become more frequent as more users are engaging remote connectivity. It’s very much like supporting a street vendor at the corner – everyone says its wrong, but everyone keeps on doing it.”
What to do and how to do it?
So what are the options when it comes to protecting your surveillance devices, or to be more realistic, any electronic devices that communicate over a network and/or the Internet?
The reality, says Oosthuizen, is that everyone is looking at remote connectivity, seeing their devices remotely or monitoring what their staff or kids are up to. “Unfortunately any remote access, whether to a file server or a surveillance device needs to be configured and managed properly. Focus on phishing and ransomware filters, and that entails training and educating your employees.”
Furter notes that the smaller, less skilled security companies do not have the skill to address this issue, and as such, cannot offer comprehensive solutions. “The answer to the IoT questions does not lie in traditional security, but rather in logical security, and as such it requires that a security company has this skill set to be able to address ICT challenges in addition to physical security challenges.
“As a matter of fact, some companies are perpetuating the issue by continuing to use device brands that have a known and documented association with foreign intelligence agencies, or that have been compromised, repeatedly, to date. As late as November last year it was widely publicised how a large and respected surveillance device manufacturer had been proven to be providing video footage to some Eastern governments – this brand is still being installed in our country despite this knowledge.”
Taking a practical approach, Hadjizenonos explains that the biggest challenge in dealing with Mirai or other DDoS attacks is how to separate malicious traffic from legitimate traffic. Security vendors offer anomaly detection-based security solutions that solve this problem, but if a link connecting a DDoS victim’s network to their Internet Service Provider (ISP) and, moreover, a link between the victim’s ISP to an upstream ISP is saturated with attack traffic, then it may be too late and the security solution may not be effective.
But once Tier-1 and Tier-2 ISPs start cooperating among themselves, it is possible to dramatically reduce the number of DDoS attacks.
“Let me explain,” he continues. “The Internet is a mesh of networks. At the core are about six Tier-1 operators whose networks span the globe. Connected to them are about 25 to 30 Tier-2 ISPs, which are in turn connected to a number of other tiers and local ISPs. If they all cooperate, they could stop the attack at the source, rather than protecting the targets.
“Let’s say you have a camera at home that is launching an attack. The attack is going through your local ISP, which is often connected to a Tier-2 ISP, which is connected to a Tier-1 ISP. If the attack had been blocked at the source by either the Tier-1 or Tier-2 ISP, then the attack would practically be deemed useless.
“As such, fewer than 50 Tier-1 and Tier-2 providers together have the technical capacity to stop most global DDoS attacks (and in many cases, country-level attacks) at the source. To do this, accurate attack patterns need to be identified and agreed upon, but most importantly, there is a need to define how this can be done in an effective and legitimate way, while maintaining data privacy.”
Stopping the tsunami
Of course, getting such cooperation is not all that simple, so we have to look at other means of dealing with these types of threats.
The nature of our networks and the protocols we use does not offer much in the line of defence against ultra-large scale attacks for now. “I agree that the solution lies with the systems being exploited and the users who own said systems,” notes Furter. “If end-users secure their IoT networks and devices, the potential for abuse is greatly reduced as the greatest weakness of the criminals exploiting IoT systems is their dependence on open IoT networks. Remove the source of these open networks and the threat is reduced exponentially.”
Hadjizenonos echoes (as we all know, but never do), that corporations and individuals using these devices need to ensure that they have adequate levels of internal security, that is, good authentication mechanisms. They need to make sure that they’re using strong passwords rather than the default passwords that are available on the devices, and they need to make sure that access to these devices is controlled and authorised using standard practices. They should also apply segmentation and have a VPN were applicable, etc.
“One of the reasons these cameras were attacked [by the Mirai botnet] is because they were using default passwords. If people were changing their passwords, it would have been more difficult to hack them.”
The surveillance industry has seen a dramatic shift over recent months in the area of passwords. Most if not all major brands now require administrator passwords to be changed at installation, not giving users the option of leaving a default password in place. This change happened primarily before Mirai appeared because a number of organisations were hacked through their network cameras because the installers didn’t bother to change the default passwords due to being in a hurry to get to the next job, laziness or pure ignorance. IP cameras are great, but if they are attached to a network and they are vulnerable to exploits, the network and everything attached to it is also vulnerable.
“Without the vendor forcing the user to change the default settings, the responsibility lies on the individual who ‘installs’ this device onto the Internet,” adds Oosthuizen. “The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log into the device using telnet and/or SSH.
“My basic advice to everyone is to put your camera behind a firewall, blocking all ports except the ones required for audio, video and to access the web-based administration panel. This is a fairly straightforward way that vulnerable IoT devices can be safeguarded, making them unavailable for exploitation.”
But really, who’s to blame?
As humans, we love to have someone else to blame for our problems. In this case, however, the blame is spread over all the players, from the manufacturers and consultants, to the installers and integrators, and the users.
“I would gauge the responsibility ratio to be 80/20 in favour of the supplier,” says Furter. “The supplier is responsible for the manufacturing and supply of secure technologies that do not take a great effort to install and setup. Small features such as nag screens asking the user to change default passwords makes the world of difference.
“It is still, however, the user’s responsibility to follow this advice, and the advice of the skilled consultant or middle-man that may be involved in the setup of the IoT system. The installation fees charged by dependable installers are so low that it is actually worth it for a user to simply contract an installer to manage the complete process on their behalf.”
Unfortunately, many Internet-connected products are not designed with security in mind, adds Hadjizenonos, and some of them contain very basic flaws that allow attacks such as Mirai. Public awareness of these security oversights is rising, as cyber attacks targeting well-known services are becoming common, so users also need to understand the role that they play in the security ecosystem in terms of patching devices, having strong passwords, etc.
Apart from strong passwords, users should identify which of the services they use are exposed to the Internet. If they don’t need something to be exposed to the Internet – like a connected kettle, for argument’s sake – then they should rather configure their firewall accordingly and only allow that device to connect on the home network.
“Manufacturers do have a responsibility to design products with security in mind and incorporate good security controls but this is not easy to achieve, considering there are thousands of manufacturers out there.”
Dealing with convenience
The principles we can all use to deal with the threats posed by cyber attacks are relevant, but they are not always practical. In today’s world of choice, very few things are unique and there is always an option for a cheaper or better-looking solution, no matter what you are buying. Simply look at the number of people that by cheap surveillance cameras as an example. The fact is, these devices are cheap for a reason, and that will almost always include a lack of security thinking in their design.
How can your average user, who is not a technical expert and wants things that simply work, get around the different designs and motivations, proprietary protocols and other issues that will have an impact on the security of their devices, whether cameras, baby monitors or whatever else?
From a corporate point of view, Furter says this is simple: “implement a suitable IoT management platform”.
He says the management platform acts as the common denominator between the different IoT devices, and should be sufficiently brand agnostic to allow sustained functionality irrespective of the brand. Devices are now reduced to functional resources, and can collaborate with opposing brands with very little effort. It is the purpose of the IoT management platform to be the nexus of the IoT solution, and to manage the various processes involved in a manner that is transparent to the user, but still under the user’s control.”
Linking millions of devices over a network of cables is nothing new though. As Hadjizenonos points out, the most widespread grids in the world, alongside the Internet, are the electrical grid and the telephone grid. Both are designed for high resilience and require every device connected to them to be certified and to meet various standards that ensure that it will not pollute the grid. Manufacturers are not allowed to sell electrical appliances or telephony equipment without the appropriate certification, and authorities enforce these certifications.
“Some people suggest that a possible solution could be to require certification of any equipment that is connected to the Internet – ensuring that it will conform to basic security and other standards. This may end up being necessary and may develop over time, but would also be a very complicated process. It will take a long time to agree on the standards and then implement them. But mostly, it is likely to slow down the pace of innovation that we enjoy today.
“A more practical solution would be for the grid to protect itself, however, this would require trust and entails some risks, and yet it can be potentially done by the cooperation I mentioned earlier.”
So what can I do?
Another way to look at securing ourselves, our cameras and other devices, including software, was mentioned at a recent event by Genetec’s regional sales manager, Brent Cary. He spoke about creating a ‘network of trust’ in which each component of the network is a trusted part of the whole. In the IoT world, this means you have confidence in your own devices because you have secured them to a certain level, as well as in others’ devices as they have also secured them to the same level. Additionally, the way the devices interact and share information is also standardised to ensure a secure environment.
It’s like going to the airport. Anybody who’s been on a flight recently has been asked “Did you pack your bag yourself?” when checking in. The right answer, of course, is yes. In other words, you have taken care to ensure that your baggage (your device or application in the IoT world) is secure, while the other passengers have done the same to ensure they are secure and don’t have any issues – security flaws or careless set-up errors in the technology world.
The airline or airport company then does the rest of the ‘security’ work to ensure that only authorised and vetted people are able to get onto the plane, including those flying it and the ground staff. ACSA may have missed this part of the class, but that’s the simple theory behind being safe when you fly and behind a trusted network.
For the vast majority of the readers, inking an agreement between the Tier-1 global service providers is not something we would have a chance of being involved in. At the same time, however, out systems, whether they are corporate surveillance installations, home cameras and routers (and TVs that record every word you say), or even our mobile devices are connected and at risk.
A pragmatic approach is simply to adapt to current realities and plan accordingly. As Oosthuizen points out, “We have to face the reality: we’re trapped in a system in which everything we do is monitored and logged, and in which privacy is a thing of the past. Everything that you do with modern communications equipment leaves a digital trail. And this trail is followed tirelessly, not just by giant corporations, but also by governments and their security services.”
If our devices are used for a botnet attack on someone else, it means that our devices are compromised and whatever private information we hold or transmit is at risk. And when this includes financial details or methods of finding and accessing family members, it becomes more serious than a flippant comment or an “oh well” shrug of the shoulders.
Hadjizenonos offers more insight: “People should understand that an IoT device is a small computer, so the same practices and precautions they would take with their computer apply to IoT devices. You wouldn’t let anyone access your computer from the Internet without having a firewall (hopefully), so the same applies for IoT devices.
“You should make sure that your PC is patched with the latest software that includes security fixes; the same applies for IoT devices. Make sure they are patched with the latest software from the vendor to solve any security issues.”
From the perspective of the everyday user, Furter says security is mostly a function of common sense and some basic logic, in that most security practices are simple and obvious enough that even an untrained user will be able to comply.
“Maintain a good password regime, do
not discuss the details of your IoT network with strangers, and do not grant strangers access to your IoT resources. Just like with your banking PIN and cellphone password, ensure that you change the defaults at installation.
“It is already a fairly common practice to control access to a network resources, such as Wi-Fi, and to ensure that all connected computers have powerful and up-to-date antivirus software. Lastly, it is good governance to follow the manufacturer’s stipulations on security and control, as this will effectively close the loop.”
Oosthuizen notes that the user is not totally without control. “One important difference between digital, Internet-based communication techniques and more traditional methods is that the former often allows you to determine your own level of security. If you send emails, instant messages and VoIP conversations using insecure methods, they are almost certainly less private than letters or telephone calls.
“The flexibility of Internet communication tools and the strength of modern encryption can now provide a level of privacy that was once available only to intelligence organisations. Ultimately it’s your choice whether you utilise encryption – or choose to shoot from the hip.”
For more information:
Check Point Software: www.checkpoint.com
Refer to Hi-Tech Security Business Directory (www.hsbd.co.za) for further details on these companies.