The age of innocence for IoT is over. For the past 6 months, almost every week there are news about another cyber-attack against IoT devices.
IoT is vulnerable for a few reasons. The main one is that the typical computing power of an IoT device is limited, which makes it hard to effectively secure it. However, the real issue so far is that very few manufacturers attempt to install any cyber protection at all. This is because IoT devices are small and simple - the naïve conception is that they don’t seem to be a worthy target. Most of the security efforts go into protecting the data produced and not the device. Camera streams are encoded and transmitted in a secure way, sensor data can be encrypted and secured quite easily, and not to mention the highly-secured TR-069 protocol (cwmp) used by Telecoms to manage CPEs. However, the vulnerability exploited by hackers is completely different, and proves to be highly effective. They do not attempt to hack the data, they instead hack the device itself through a variety of device-specific breaches.
The way most recent attacks were conducted was by taking advantage of vulnerabilities. In specific, IoT devices that allow changing their configuration and FW from remote. Once this is achieved, hackers then slowly build an army of “zombies” or “bots” to have at their disposal for D-day to perform DDoS attacks. The idea is not to harm the hacked devices’ normal operation until required to, and once an army is ready, to attack using the force of hundreds of thousands of devices together.
Most IoT platforms are all about managing the data produced by IoT devices trough web and messaging protocols such as MQTT, HTTP and XMPP. Management of the devices themselves range between very limited to inexistent. Very few platforms deploy real Device Management protocols that allow to efficiently and actively control the devices’ configuration. If all the data received from the device is its video stream or sensor data stream, there is no way to detect any compromise attempts, which is exactly what hackers are taking advantage of and what allows them to build their botnet armies.
Unlike most platforms, Friendly Technologies servers, both for TR-069 and for IoT, put device management first. Devices and gateways connected to the platforms do not only send the data collected, but also allow to monitor and control their FW and configuration. This provides major advantage in battling cyber-attacks, since it gives exposure to the state of the devices. This allow for a variety of holistic passive and active responses against such threats from the server’s end, regardless of specific vulnerabilities of the various devices.
For starts, platform administrators can set a direct response rules to prevent attacks even on a single device level. Such response can be as simple as setting a rule that if a specific configuration changes (for example the setting of the DNS) then the system will automatically revert it back to the default settings. This can already be done with existing Friendly’s systems by setting such rules through the FEMS tools.
However, many hackings are a bit more sophisticated and make sure that any configuration change on a device may seem benign and innocent. Users of CPEs and devices are often allowed to make specific configuration changes, and monitoring whether a specific device’s CFG file change is a threat or not may be very tricky. Yet, hackers target at controlling a mass of devices, and not a single device. Building an “army” is usually a lengthy process taking days to weeks to complete. During this time, a server that monitors device’s configuration can actively monitor for patterns of configuration changes rather than for specific devices. Identifying these patterns, when monitored correctly, can detect attacks long before they are performed, giving admins plenty of time to respond. Possible responses can be resetting hacked devices to factory default, reverting to default FW versions, or running “forensics” on suspected devices, and finding and deploying a security patch.
Using a technology provided by an IoT security partner, Friendly Technologies has recently integrated an advanced configuration monitoring tool to its TR-069 and IoT platforms, allowing such early detection of cyber-attacks. This unique and effective solution is already in POC with a Tier-1 Telco, and is readily available as a premium service for both new installations, and existing ones.
Feel free to contact us if you need more info!