Protecting Networked Devices

IoT devices have become an important part of the communications infrastructure.  Consider for example routers, printers, web cams or industrial control devices.  In the ‘olden days’ this sort of device might be monitored and configured by a serial or other bespoke port connection to a dedicated computer.  Serial ports have become hard to find and even devices that convert USB or Ethernet traffic to device control ports are now uncommon and their control software may not be able to communicate with target devices.

For some years the control solution has been to use Internet protocols and connections to work with remote devices.  These tend to rely on bespoke operating system software whose security is largely out the control of the device user.  Security protocols and access control systems are expected but accounts may have been compromised or backdoor access exposed.  Whilst the user may be unaware of this the hacker community will be better informed.

The 2022 Microsoft Digital Defence Report indicates that IoT devices have become a key target for cyber-attacks.  The two most common IoT malware instances detected, Mirai (103,092 cases) and Gafgyt (87,479 cases) both turn devices into bots for use in DDOS attacks.  Apart from hosting malware hostile control of IoT devices could be used to take down critical infrastructure.  The potential risk of such an attack would attract the considerable resources of nation state backed hackers.

Over 20% of 39 million IoT devices sampled by Microsoft used identical user name and password pairs for remote access.  The most common pairs include:

  • admin admin
  • nc11 nc11
  • telnetadmin telnetadmin
  • user user
  • default default

Further vulnerabilities stem from many devices using proprietary communication protocols including MODBUS (logic controllers), BACNet (heating systems) and Siemens S7 (also logic controllers).   Systems such as these are difficult for ‘universal’ security monitoring systems to probe and analyse.

To some degree IoT device security resides with the manufacturer.  At present there is no legal requirement that manufacturers keep to some recognised security standard or that they avoid ‘well-known’ default passwords.  Some degree of control may be introduced with the upcoming Cyber Resilience Act (EU) and Product Security and Telecommunications Infrastructure Bill (UK).   Potential users of new systems should ensure that vendors are working towards these standards.  ‘Grey’ imports may involve a considerable purchase or software license cost saving but might not be as secure as equivalents from ‘big name’ suppliers.  It is also less likely that this type of device will be supported with patches and security updates.

The following security safeguards are recommended for systems relying on IoT devices.

  • Protect devices by applying patches, changing default account names and passwords and default access ports.
  • Access to technical information concerning IoT device models and protocols must be restricted.
  • Restrict access by using VPNs, blocking ports and restricting access addresses (MAC or IP)
  • Use software to detect and monitor IoT devices.
  • Isolate and segment IoT devices using VLANs and firewalls.

More from Security & Technology

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

15/04/2024

EU AI Legislation

The EU Artificial Intelligence Act became law from 13th March 2024.  In other countries: China has AI laws already in place that prohibit the …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories