Nokia reveals major IoT device security vulnerabilities but solutions prove elusive
© Flickr/cc-licence/K Wudrich
- Mirai botnet attacks exploited the use of the telnet protocol in IoT devices
- The 48-year-old protocol has gained a new lease of life with IoT
- Too many IoT devices still use telnet for remote management
- The only protection appears to be monitoring for abnormal login attempts
Nokia’s latest bi-annual “Threat Intelligence Report” was released this morning from its Threat Intelligence Lab with the accompanying media briefing that says it reveals a new “all-time high in mobile device malware infections, a sharp increase in compromised smartphones and major IoT device security vulnerabilities”. It’s the last category that TelecomTV is most interested in, yet its actual coverage in the report is disappointingly fleeting.
The report focuses its sole IoT attention on the Mirai botnet attacks. It provides a historical summation of what happened in 2016 and how the Mirai botnet led to several major distributed denial of service (DDoS) attacks. It covers how Mirai “recruited” an army of IoT bots by simply guessing device passwords (as has been reported elsewhere at length, many low-cost smart home devices come with ridiculously simple factory-set logins and passwords, which are never changed by the user).
The report also confirmed that there were three initial DDoS attacks, followed by the November’s attack on almost one million of Deutsche Telekom’s residential routers that used a modified version of Mirai with the TR-069 application layer protocol for remote management of end-user devices – no routers were actually infected by Mirai, rather they crashed during the attempts.
The report did, however, partially explain how Mirai and IoT are linked. Leaving aside the second function of Mirai, which is to launch DDoS attacks, the relevant part to IoT is the first function – finding victims and spreading its code. Mirai scans the Internet for devices that have an open telnet service running (telnet originates in the late 1960s and is a TCP/IP protocol that allows a user on one computer to remotely log into another computer that is part of the same network, hence TErminaL NETwork). Thankfully, telnet is long past its prime, and the vast majority of modern servers and network equipment no longer support the protocol. However, this is not true of IoT devices.
Many IoT devices today use telnet for remote management – given how these devices are often widely dispersed and physical management is nigh on impossible. Hence, they are vulnerable to Mirai’s brute force attempts to guess their default passwords and easily take them over. In fact it proved so easy that Mirai criminals (we really should stop romanticising them by calling them hackers) were able to quickly build large botnets.
Nokia’s NetGuard Endpoint Security solution detected these telnet login attempts prior to the DDoS attacks (the one IoT-related graph in the whole report).
So what’s the solution?
“The security of IoT devices has become a major concern,” said Kevin McNamee, head of the Nokia Threat Intelligence Lab, in the accompanying press release. “The Mirai botnet attacks last year demonstrated how thousands of unsecured IoT devices could easily be hijacked to launch crippling DDoS attacks. As the number and types of IoT devices continue to proliferate, the risks will only increase. Nokia's network-based security can help address this growing threat by detecting activity before a DDoS attack occurs, enabling service providers to take corrective actions that mitigate the impact."
In other words, it looks like we are going to have to accept the vulnerability of IoT devices in the short to medium term and instead focus on preventing corrupted devices from launching attacks on the network itself and major websites. As an industry, that’s got to be totally unacceptable in the long term.
The question that we are only just asking, and for which there is no obvious answer yet, is how do we make IoT devices more secure? Should this be voluntary, or do we have to mandate standards and their compliance? This is the conclusion of Nokia’s report:
“The industry needs to rethink IoT deployment strategies and invent new ways to protect these devices from abuse going forward. These devices must be securely configured, securely managed and monitored.”
Until that happens, operators are going to be playing catch-up and hoping to catch attacks before they achieve critical mass. Nokia’s report provided no actual numbers or figures to digest, no trend graphs to study, and most importantly no detailed solutions on how to fix these serious issues. That’s a shame, but it’s a reflection of where we are at the moment. Unfortunately, the situation is only going to get worse as the number of cheap IoT devices grows. So who is going to be first to display some real leadership?