There’s a lot of talk these days about the internet of things. But what’s often overlooked is that the internet of things is also an internet of shared services and shared data. And because much of the critical data traversing today’s public internet can be accessed, manipulated or stolen, cyberattacks are coming to pose one of the greatest business risks of our time.
This vulnerability of the public internet is a topic we’ve been discussing a lot at Syniverse, and I recently had a chance to share my perspectives on it in an article for Global Telecoms Business. I invite you to check out the full article here, and to consider what I see as one of the most important questions for businesses today: Should global commercial transactions, sensitive government systems, highly personal data and other critical information be underpinned by a public internet never intended for that purpose?
Combatting Cyber Terrorism
Already embedded in hundreds of cities all around the world, the market size of IoT in smart cities is, according to MarketsandMarkets, estimated to grow to $147.51 billion by 2020. Major growth drivers include increasing demand for intelligent cities globally and the rising demand for IoT devices.
“This year, more than 10 billion devices will connect to networks around the world, and that number is expected to grow ten-fold over the following years. Applying conventional human-centric practices to IoT security management is not practical, as the rate of IoT adoption outpaces many organisations’ ability to keep pace,” warns Gerald Reddig, head of marketing for business line security at Nokia. “There are simply too many devices to monitor, especially with the growing number of low cost sensors and the temptation to connect everything to the internet.”
A survey by ISACA on security experts found that 59% of respondents reported concern over IoT risks. Another survey of more than 550 IT and IT security practitioners by the Ponemon Institute found that 63% of respondents can’t monitor endpoint devices when they leave the corporate network, even though 55% of vulnerable endpoints contain sensitive data.
IoT is faced with an uncomfortable trade-off: plenty of the justifiable excitement but with the rapid proliferation of diverse IoT devices and applications, we’re looking at unprecedented levels of risk until the required security solutions are truly understood and implemented by businesses jumping on the bandwagon. It’s happening very quickly and the time to act on IoT security is now.
Mirai cyber attacks
Mirai attacks consumer devices such as remote cameras and home routers, part of the IoT, to increase data output, potentially launching a DDoS attack. It has been linked to numerous attacks last year, and crashed an estimated 900,000 routers from Deutsche Telekom in November for example.
“In the last year, we’ve all heard of the Mirai malware, but did you know that Mirai is Japanese for ‘the future’? And that’s what I believe we are seeing: The future of cyber attacks,” Laurence Pitt, security strategy director at Juniper Networks tells GTB.
“This doesn’t mean that everything else goes away. There will still be phishing attacks, socially engineered access and advanced persistent threats, but these are costly to develop and with distributed denial of service (DDoS) in IoT, the bad guys seem to have found a simple and successful business model to raise needed funds.”
The IoT risks can be exemplified by the DDoS attacks in 2016, which used insecure smart home devices to shut down a number of major websites, which were followed by hundreds of ‘copy-cat’ attacks.
DDoS attacks greater than 100Gbps increased by 140% in the fourth quarter of 2016, with 10 attacks surpassing 300Gbps in the year overall, according to Akamai’s State of the Internet security report earlier in the year. Content delivery network Akamai found the largest DDoS attack in Q4 2016, which peaked at 517Gbps, came from a Spike botnet that has been around for two years.
There were 12 so-called “mega” attacks (over 100Gbps) recorded in Q4, seven of which were attributed to Mirai. The malware shot to fame last year after it was used in a DDoS attack on DNS provider Dyn that resulted in outages for a number of major internet platforms.
Mary Clark, chief corporate relations officer and chief of staff at Syniverse, says to GTB: “Last year’s Dyn attack, and others like it, demonstrate that the network will not look after itself, and the public internet is a “wild west” that is not fit to support IoT use cases in the future.”
It doesn’t have to be that way, adds Clark. “Some companies are able to carry on throughout DDoS attacks completely untouched because they are on secure, private IP networks. These networks are built to minimise risk by running completely independently from the public internet, and allow companies to control access. This means not only controlling speed and latency, but also knowing the individual behind a device accessing the network, are exactly who they say they are – and this is where attribution comes in.”
Are we ready?
With frequent reports of data leaks, ransomware and hacks, being too heavily reliant on public internet connectivity to underpin the IoT brings a huge question mark. Are public networks really ready to enable a truly global IoT, securely?
“IoT is not just the internet of things, but the internet of services and shared data,” says Clark. “These services connect a multitude of organisations, sharing business and personal data and information. It can include highly sensitive personal data, as well as information about personal preferences and requirements, and can tell us much about users’ likely future needs for an internet of shared services. However, there’s one substantial flaw in all this which is that at several moments during these data exchanges, many of these services run over the public internet.”
Privacy and data protection is a big challenge. There are so many potential points of data collection and when you put all of that together it becomes easy to identify people. Les Anderson, global CSO & vice president of cyber security of BT, says to GTB: “IoT technology means that, nowadays, everything is connected – vehicles, traffic sensors and even consumer goods can generate and communicate all kinds of information. A conservative estimate is that there will be 50 billion such devices connected by 2020.
“Whilst revolutionary technology like this is exciting, it also has serious implications for network security. With so many connected devices, there is a huge increase in the number of potentially weak or open entry points that can be exploited, and the number of security risks shows no signs of slowing down. The predicted influx of data caused by IoT means that 50% of IT networks will struggle to cope and 10% could be overwhelmed as early as 2018.”
Cisco’s IoT forecast
Cisco’s Visual Networking Index (VNI) forecast predicts global IP traffic to increase three-fold, reaching an annual run rate of 3.3 zettabytes by 2021. For the first time in the 12 years of the VNI forecast, M2M connections that support IoT applications are calculated to be more than half of the total 27.1 billion global devices and connections and will account for 5% of global IP traffic by 2021.
“Faster speeds are not the only factor driving growth of internet traffic. The IoT is accelerating the number of devices that are attached to the internet, not only adding to the growth of traffic but also adding potential pathways for attackers,” states Cisco’s 2017 mid-year cybersecurity report.
IoT innovations in connected home, connected healthcare, smart cars/transportation and a host of other next-generation M2M services are driving this incremental growth—a 2.4-fold increase from 5.8 billion in 2016 to 13.7 billion by 2021. With the rise of connected applications such as health monitors, medicine dispensers, and first-responder connectivity, the health vertical will be fastest-growing industry segment (30% CAGR). The connected car and connected cities applications will have the second-fastest growth (29% CAGRs respectively).
What does the future hold?
Juniper Networks’ Pitt isn’t saying that we’ll see millions of DDoS attacks in the coming year but that “malware groups are now at the monetisation stage, selling botnets-as-a-service (BaaS) on the Dark Net, making licence revenue for further research”.
Nokia’s Reddig believes that to address the growing challenges created from IoT, security management solutions must aggregate, correlate, analyze, and enrich security data from a variety of sources within a business-specific context. “A contextual understanding of devices and the associated services they enable is a crucial aspect to assessing both security threats and the appropriate mitigation. Thus, knowing which IoT assets are part of a network is a critical prerequisite for securing those assets and the associated data that is either stored, processed, or transmitted, as is the ability to discover devices that are connected to the network, both sanctioned and unauthorised (or rogue).”
Machine learning will also be integral to the success of enhancing security levels as identifying anomalous behaviour, sharing threat intelligence information across network, device and cloud layers and automated incident responses will be critical. “When infused with contextual knowledge about the IoT service and business value, appropriate automated rapid response can be initiated,” says Reddig.
“As the number of smart cities grows and security threats become increasingly sophisticated, telecom operators will play an important role in guaranteeing the security of these cities and their inhabitants. Avoiding complacency is key; we will partner with governments for an integrated and comprehensive defence strategy, ensuring that we have all bases covered,” adds BT’s Anderson.
“I am sure we will solve these issues but it will require more awareness and cooperation among device manufacturers, network operators and consumers. We need to establish best practice and promote vendors that comply with best practice. Today a lot of vendors are still making rooky mistakes such as storing passwords in firmware as plain text.”
The lessons learnt can’t be more obvious: IoT security can’t be dismissed or ignored. Consumer confidence in the IoT is wavering and designers are faced with an uphill battle.
Pitt concludes: “The hacker who developed and recently released the Mirai source code subsequently blogged, “I made my money, there’s lots of eyes looking at IoT, so it’s time to go.” This statement is the basis for my prediction: The DDoS and Botnet attacks in 2016 were the first wave, gathering intelligence and generating revenue which will now be used to develop and propagate advanced and complex IoT next generation malware.”
Mary Clark is a former Chief Corporate Relations Officer and Chief of Staff at Syniverse.