Protecting Networked Devices
IoT devices have become an important part of the communications infrastructure. Consider for example routers, printers, web cams or industrial control devices. In the ‘olden days’ this sort of device might be monitored and configured by a serial or other bespoke port connection to a dedicated computer. Serial ports have become hard to find and even devices that convert USB or Ethernet traffic to device control ports are now uncommon and their control software may not be able to communicate with target devices.
For some years the control solution has been to use Internet protocols and connections to work with remote devices. These tend to rely on bespoke operating system software whose security is largely out the control of the device user. Security protocols and access control systems are expected but accounts may have been compromised or backdoor access exposed. Whilst the user may be unaware of this the hacker community will be better informed.
The 2022 Microsoft Digital Defence Report indicates that IoT devices have become a key target for cyber-attacks. The two most common IoT malware instances detected, Mirai (103,092 cases) and Gafgyt (87,479 cases) both turn devices into bots for use in DDOS attacks. Apart from hosting malware hostile control of IoT devices could be used to take down critical infrastructure. The potential risk of such an attack would attract the considerable resources of nation state backed hackers.
Over 20% of 39 million IoT devices sampled by Microsoft used identical user name and password pairs for remote access. The most common pairs include:
- admin admin
- nc11 nc11
- telnetadmin telnetadmin
- user user
- default default
Further vulnerabilities stem from many devices using proprietary communication protocols including MODBUS (logic controllers), BACNet (heating systems) and Siemens S7 (also logic controllers). Systems such as these are difficult for ‘universal’ security monitoring systems to probe and analyse.
To some degree IoT device security resides with the manufacturer. At present there is no legal requirement that manufacturers keep to some recognised security standard or that they avoid ‘well-known’ default passwords. Some degree of control may be introduced with the upcoming Cyber Resilience Act (EU) and Product Security and Telecommunications Infrastructure Bill (UK). Potential users of new systems should ensure that vendors are working towards these standards. ‘Grey’ imports may involve a considerable purchase or software license cost saving but might not be as secure as equivalents from ‘big name’ suppliers. It is also less likely that this type of device will be supported with patches and security updates.
The following security safeguards are recommended for systems relying on IoT devices.
- Protect devices by applying patches, changing default account names and passwords and default access ports.
- Access to technical information concerning IoT device models and protocols must be restricted.
- Restrict access by using VPNs, blocking ports and restricting access addresses (MAC or IP)
- Use software to detect and monitor IoT devices.
- Isolate and segment IoT devices using VLANs and firewalls.