Your browser is not supported. Please update it.

7 December 2018

Nokia, Trend Micro show IoT security still trash

Two reports have arrived that show how far the IoT still has to go in terms of security. Nokia has found that CSPs are failing to control the number of infected devices on their customer networks, and Trend Micro managed to intercept millions of messages sent using two backbone IIoT protocols – MQTT and CoAP. It’s a painfully all too familiar story, unfortunately, and one that still shows no real sign of changing.

Nokia’s Threat Intelligence Report, the 2019 edition, found that IoT botnet activity accounted for 78% of malware detections in CSP networks, in the past year. That’s more than twice what it was in 2016 (33%), when these botnets first reared their heads. The IoT botnets now account for 16% of infected devices in CSP networks, up from 3.5% last year.

The silver lining is that this could be read as proof that IoT devices are finally gaining some traction in the market, but there’s a pretty big downside to be had if they are infected and capable of bricking CSP networks. Deutsche Telekom is the best example of such concerns, having been struck by Mirai and eventually managing to get the hacker responsible jailed.

Nokia’s findings are based on its network monitoring systems, which it says have seen 150mn devices this year. Specifically, it’s Nokia’s NetGuard Endpoint Security service, and to this end, Riot Research has just published its own end-point security forecast.

Unsurprisingly, malware seems to be promoting cryptocurrency mining, hijacking compromised devices and forcing them to run calculations that might be rewarded by one of the myriad blockchain-based digital currencies. Nokia warns that such infections have expanded from targeting high-end servers to IoT and mobile devices, presumably on the basis of casting a wide-enough net so that a dozen IoT devices are as useful as a hijacked PC.

Nokia is of the opinion that 5G networks will accelerate IoT adoption, and concludes that this is only going to exacerbate the problem at hand. While we think 5G is going to take rather a lot longer to arrive at the scale needed to properly justify this position, the two are going to be growing alongside each other for quite some time.

To this end, companies need to do something about the growing number of risks, and wouldn’t you just know it, Nokia has an answer for that. Besides the obvious marketing purpose of the report, Nokia does provide some pretty transferable tips. It warns that the cyberattackers are becoming increasingly sophisticated, with scanning tools that can quickly identify and exploit devices. McNamee warns that if a vulnerable device is connected to the internet, it will be exploited within a matter of minutes.

The speed of this attack is explained by Nokia as being due to cyberattackers turning their attention away from mobile and fixed networks in 2018, and instead looking for softer targets, like IoT devices. Nokia also says that the lower rate of attacks on mobile and fixed networks is due to better protection of these networks, as well as mobile devices being designed with better security in mind.

That would be an encouraging piece of news if it were not for the scale of the number of anticipated IoT device additions, over the next few years. No amount of improvement in the CSP sector would be enough to mitigate the torrent of cheap but deadly IoT devices, which could become veritable plague.

The report is available here, should you wish to dive deeper, but there are a number of providers in the market that would like to sell you the equivalent of Nokia’s NetGuard platform. Cybersecurity is proving a popular realm for AI-based technologies, which can be used to spot patterns among huge amounts of data, and so warn customers about looming threats or pre-emptively take action. To this end, it’s something of a greenfield opportunity, but convincing leadership to spend money on security is often quite an uphill battle.

“Cyber criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed. You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought,” said Kevin McNamee, director of Nokia’s Threat Intelligence Lab, and lead author of the report.

Away from the CSP world, Trend Micro decided to take a look at MQTT and CoAP, two foundational industrial messaging protocols that are proving popular in the Industrial IoT. What it found was somewhat alarming, as some simple sleuthing led the firm to exposed MQTT brokers and CoAP servers that leaked over 200mn and 19mn messages, respectively.

The discovery came from a scan of the web, which turned up hundreds of thousands of MQTT brokers and CoAP servers that were reachable via public IP addresses – meaning you could poke them. Trend Micro notes that finding them was straightforward enough due to the inherent openness of the protocols and the fact that you can search through them using the ever-popular Shodan website. This is comparable to leaving your AWS bucket without a password – someone just has to find it and they can begin tinkering.

In terms of regional results, the USA was worst for MQTT, having nearly 7x as many brokers left wide open as second-place China, with 154,945 and 21,844 respectively. For MQTT, Hong Kong took third with 8,514, followed by Germany on 8,260, and Taiwan’s 6,922 rounded out the top-five. Interestingly, CoAP was dominated by China, which took first with 423,139 exposed servers. Second-place USA had “only” 10,635, with Russia in third on 3,360, France in fourth on 660, and Canada in fifth with 429.

In terms of practical risks, it’s not just data being leaked that you should be concerned about. Trend Micro found that a vulnerability in the most popular MQTT broker, Mosquitto, could allow a malicious client to send invalid data, by flooding messages so that clients get stuck with that malicious message.

Feasibly, this could allow someone to cause outages in machinery, by letting a controller think things are running optimally, when in fact, a component is overheating. You can get up to a lot of mischief this way, but you would probably need to be pretty knowledgeable about the device or machine you are attacking.

Trend Micro also found personably identifiable information inside some of the leaks, with one of the most glaring stemming from a system that was ordering taxi and car-sharing rides for a business. The email addresses in the data would let someone listening in know who was headed where, thanks to the time-stamping.

Manufacturing leaks were also found, including some from Programmable Logic Controllers (PLCs), which was pushing its telemetry data out into the big wide world, as well as its requests for maintenance. Combine that information with the message flooding from above and you could feasibly work a machine until catastrophic failure, provided no one picks up on it missing a service interval.

In terms of key takeaways, Trend Micro warns that CoAP is still not properly standardized, and that both protocols do not check their data payloads, meaning that data validation can be difficult. It says risk assessments are vital, and its report illustrates why. It’s well worth your perusal, as is Akamai’s State of the Internet, which dropped just as we rounded out this article.