VPNFilter should compel IoT manufacturers to adopt a secure by design mindset
The VPNFilter Internet of Things botnet that Cisco Talos researchers discovered in May is the latest cyber security red flag for all IoT device manufacturers – and it’s an enormous flag.
Attackers were able to infect more than 500,000 Internet routers and network attached storage (NAS) devices, as well as the endpoint devices behind them. IoT devices are becoming ubiquitous across so many industries like automotive, healthcare, financial services, manufacturing and utilities, yet too often, security is an afterthought during the design and manufacturing processes. That leaves them open to attacks like VPNFilter.
Manufacturers should adopt a “Secure by Design” mindset as their guiding principle, no matter their size or business/consumer application.
VPNFilter represents the evolution of the traditional botnet – a network computer that hackers can remotely access and use to forward transmissions to other computers connected to the Internet - into an IoT botnet characterized by hijacked computers and IoT devices. The latter is a broad category that includes any device with an IP address that connects to the web to transmit and/or receive data, including something as small as a cardiac implant monitor to autonomous driving systems in cars.
VPNFilter enables attackers to send programmatic commands to each infected device individually or all of them simultaneously. Researchers believe the Russian state actor APT28 could be distributing VPNFilter to facilitate a variety of operational purposes, including collecting intelligence, launching DDoS attacks and causing widespread damage by bricking infected devices.
The lesson for IoT device manufacturers, and the companies that implement them, is that if connected devices are not secured effectively, they become vulnerabilities that attackers can exploit. The Mirai botnet experience taught us this. The researchers pointed to the difficulty of determining even the scope of the devices caught up in the botnet, due to a lack of device attribution, which could have been made possible using PKI and binding a cryptographic key to each device.
Consider that while Internet connectivity enables self-driving or driver assist capabilities, that also increases the risk that these complex safety and navigation systems become more vulnerable to hacking. The Journal of the American College of Cardiology research warns that pacemakers and other connected medical devices could be targeted by hackers for political, financial or personal gain.
Incorporating strong authentication for devices can strengthen user security if more IoT device manufacturers incorporate security during the early design process. Failure to do so inevitably forces them to retrofit devices after-the-fact, an expensive, time-consuming and ineffective approach.
Effective device security does not mean creating a perfect product that never has any vulnerabilities; it means building in key, scalable security measures from the beginning and enabling secure updates along the way. Public Key Infrastructure (PKI) and digital certificates can be used to meet the requirements of authentication, encryption and integrity for devices and the data being transmitted between devices and shared by users. For decades, digital certificates have been the security backbone of networked devices like servers, routers, printers, and fax machines. PKI can do the same for the Internet of Things.
Global providers of authentication technologies, such as those operating large-scale PKI systems that adhere to industry standards, can help companies avoid the headache and expense of running their own digital certificate infrastructure. These companies also have the capability of handling needs across multiple geographies. The unique role of PKI in the history of data and identity security, and its ability to facilitate the secure transfer of information across networks, makes it the most effective and ready solution for IoT service providers to demonstrate transparency, responsibility and accountability to their customers, partners and regulators.
An organization must know that when a device is registered and attached to its network it is legitimate and not fraudulent. Certificates can bind a cryptographic key to the identity of a device and provide device attribution. Signing code on the device can help ensure secure boot, patches and over the air updates. Certificates can authenticate the device to the network to make sure it is one authorized by the company and not part of a botnet. These measures are important to helping secure device connectivity and protect users. Knowing the answers to these questions will enable an organization to provide complete transparency to auditors and users, in a reasonable time frame, should a problem arise.
Full transparency also raises a brand’s reputation in the eyes of the public by demonstrating that a company is acting responsibly. Nurturing that perception also requires acknowledging that the IoT landscape is immature. There are so many standards to choose from, and so many different manufacturers, application developers and operating systems. That is why cultivating relationships with the hacker community and researchers matters. Inviting these groups to help identify and report vulnerabilities will enable a manufacturer to more quickly mitigate potential problems as they grow their IoT presence.
Gartner estimates there will be 26 billion IoT devices connecting to the Internet by 2020 - an almost 30-fold increase from 0.9 billion in 2009. IoT device manufacturers and enterprise security providers face an enormous challenge trying to scale up the process of identifying and authenticating those devices.
The confidential user data IoT devices collect and share fall under the same strict laws and regulations governing data security that all IT systems do, be they laptops, on-premises databases and cloud computing platforms. Adopting a "Secure by Design" approach to device manufacturing, and prioritizing users' privacy are key components in fostering transparency, responsibility and accountability in this Age of IoT. PKI is one core technology that can help manufacturers address security upfront.