+
EDITOR’S QUESTION
MIKE AHMADI, CISSP, GLOBAL
DIRECTOR – IOT SECURITY
SOLUTIONS AT DIGICERT
D
ata is the new currency. In fact, most of our financial
transactions today are pure data exchanges. Additionally,
corporate intellectual property, customer lists, demographic
information, usage statistics . . . the data list goes on and all represent
huge opportunities for commerce and a prime target for criminals.
/////////////////
Alongside data; Internet of Things (IoT) devices are coming to
market at an exponential pace. It seems like nearly everything from
appliances, to vehicles, to children’s toys, are being adorned with
network connectivity to create new business models.
These examples speak to the sheer volume of data that can
be attacked, leading to a large rise in criminal syndicates and
independent bad actors. Alarmingly, the learning curve for potential
cybercriminals is trivial. For example, many Internet-facing systems
contain hard-coded default passwords for use by service technicians
and many of these can be found simply by browsing through readily-
available service manuals. This issue has been known to exist for
decades and still continues today and as the price of networking
equipment has dropped, the volume of devices using hard-coded
passwords is staggering.
In situations that avoid hard-coded
passwords; often a default password is
used instead. This can be as rudimentary
as a single common default password for a
device type, or something only slightly more
challenging, such as a device serial number.
Since many users don’t change passwords
on devices they consider low risk, an attacker
can use readily available search tools to scan
the Internet for common devices, or simply
cast a wide net and see what comes up.
In the case where a serial number is used,
since they are often sequential, an attacker
only needs to determine the alpha numeric
numbering scheme and write a simple script
to cycle through them.
Many end-users of connected IoT devices
are unable to quantify risk. Recently, a Las
Vegas casino had its high-roller database
hacked through an Internet-connected
aquarium thermometer in the casino.
The attackers exploited a vulnerability
in the thermometer to access the casino
network and simply tunnelled into what
they wanted. It would not normally occur
www.intelligentcio.com
“
RECENTLY, A
LAS VEGAS
CASINO HAD ITS
HIGH-ROLLER
DATABASE
HACKED
THROUGH AN
INTERNET-
CONNECTED
AQUARIUM
THERMOMETER IN
THE CASINO.
to anyone that an aquarium thermometer
would be a target, but what many forget
is that opportunist attackers look for the
easiest option.
Unfortunately, IoT device manufacturers are
not compelled by any law to include essential
security such as strong authentication
available via certificate-based PKI. The
infamous Mirai Botnet is such an example
where millions of users failed to apply
adequate security due to the belief that such
devices did not represent juicy targets.
The problem persists and will get a lot worse
until regulators step up and start viewing
security flaws in the way they view safety
issues. Failures can and do have a very real
kinetic effect. Device manufacturers need
to take more proactive measures and end-
users must become more educated and
less trusting of devices they add to their
networks. Until this happens, we can rest
assured that criminals will flourish in an ever-
growing world of IoT. n
INTELLIGENTCIO
39