In October 2016, the Internet of Things was at the center of one of the largest distributed denial of service (DDoS) attacks. A botnet called Mirai hacked IoT devices and then used those devices to send an unprecedented number of traffic requests to Dyn, a large DNS provider. This increase in traffic caused Dyn to go offline, and subsequently knocked a number of its noteworthy customers offline as well—including Amazon, Twitter, and PayPal.
While there have been numerous high-profile IoT-related cyber attacks over the last several years, the Dyn attack demonstrates the importance of IoT cybersecurity. To protect your own application from IoT breaches there are five things you can do:
1. Don’t provision your IoT devices with default usernames and passwords.
A large majority of IoT cyber threat can be avoided by following this one simple rule. Here’s why: A lot of common IoT devices (like many smart thermostats and security cameras) are Linux-based, and many are shipped out with default usernames and passwords for SSH connections. (We’ll discuss the danger of SSH below.) If your customer puts one of these devices on their network, it becomes a very easy target. The Mirai attack specifically searched out devices with this very trait. Tools like Shodan and Nmap make it easy for hackers to write a script that finds these devices and tests the default password, paving the way for a large-scale attack using botnets.
Want to learn about how large scale manufacturing operations track and monitor materials in their plants?
To avoid this, we strongly recommend considering other solutions to manage your applications, without default passwords. Even hashing—where customers enter their unique product serial numbers into a browser to get their password—is more secure than shipping out standardized usernames and passwords.
2. Don’t use an SSH (Secure Socket Shell) connection, if possible.
As mentioned, many IoT applications run Linux, and most Linux systems enable SSH by default. That means the device is “listening” to port 22 for anyone who wants to connect to it via SSH. If your application does not require that you use SSH, be certain it’s disabled—because it’s a major IoT cybersecurity vulnerability.
3. Limit your application’s exposure to IP-based networks, if possible.
Chances are good that if someone tries to hack your IoT device, they’ll do so using an online, script-based attack. It’s much, more more rare for a device to be hacked physically by a bad actor in the same room. Limit your application’s exposure to IP networks if you’re able.
Your connectivity provider may be able to help. Symphony Link, for example, doesn’t have IP-based communication from the end-node to the gateway, so there’s no network-based vulnerability that can attack that link. Even if a hacker were able to gain access to, say, a Symphony Link-connected smart water meter, there would be nothing said hacker could do to exploit the connection into the upstream IP network.
4. Create a VPN tunnel into your backend network.
Enable your devices to create a virtual private network (VPN) tunnel for secure communication. The best way to do this with cellular IoT is to negotiate with your carrier to add your devices in their private network, with a VPN tunnel directly to your backend. The result: There’s no way for any traffic to or from your devices to get to the internet. Called virtual air-gapping, this is a service we provide our LTE-M customers here at Link Labs.
5. Whitelist certain IPs and domain names.
Consider only allowing only a select list of IP addresses or domain names to send traffic to your devices as a form of firewall protection. This can help prevent rogue connections. Keep in mind that if your device is hacked, it may be possible for the hacker to remove the IP and domain blocks you have in place—but this is still a good precautionary step.
Finally, if you’re a large company developing a connected application, we at Link Labs strongly recommend you research an established security consulting firm who can analyze your cybersecurity practices and help ensure your application is sound. Don’t wait to be the subject of a Dark Reading article about how simple it is to exploit your device. Spend the money now to secure your application. If you have questions in this area, we’d be happy to help—send us a message and we’ll get back with you shortly.