History and literature are scattered with legends of vigilante justice ranging from Robin Hood to the wild west of the America frontier. When conventional law enforcement was corrupt or non-existent, characters on society’s fringes would act on their own. Sometimes stealing from the rich and giving to the poor and sometimes stealing from the rich and just keeping it.
A more contemporary hacker-turned-vigilante, naming himself, The Janitor, recently launched a cyberattack largely targeting IoT devices lacking enforcement of basic network security. Most of the devices did not compel the user to take basic precautions like changing the default credentials or adopting an encryption key. The premise of the attack was to modify critical firmware and data on the IoT device to either disable or enlist it in future network attacks.
In an often-confusing manifesto, The Janitor compared himself to a doctor and described his attack as extreme cyber chemotherapy ridding us of the network devices currently making the Internet “seriously ill”.
Citing as justification the recent Mirai attack, when countless unsecured IoT devices were unwittingly enlisted in DDoS botnet attacks that inconvenienced millions by shutting down the websites of major companies, the Janitor/Doctor rationalized that unprotected IoT devices leave us all vulnerable to cyber-attacks which can inflict serious damage on us as a society. The Janitor/Doctor would have us believe that by revealing the vulnerabilities and shutting them down helps rid the Internet of unsecured devices and encourages us to prevent similar attacks in the future.
Device Security Requirements
Despite his criminal methodology, the Janitor’s actions remind us that device OEMs are responsible for designing security in at the factory, not leaving it up to end users to scramble to find a solution. IoT device security designers must consider the potential costs of a security failure (including the company’s reputation), the likelihood of attack, possible attack vectors, and the cost of implementing a security solution.
Security capabilities needing consideration are:
- Secure boot
- Secure firmware updates
- Secure (encrypted) communication
- Data at rest protection
- Intrusion detection
- Key and certificate management (PKI)
- Authentication (two-factor authentication should be considered)
- Integration with security management systems
A security framework, such as the Floodgate Security Framework for one example, provides an integrated suite of security building blocks.
The Doctor’s actions, while clearly illegal, highlight an important issue. Until companies appreciate the risk involved in distributing unsecured devices, cyber-attacks will continue to occur. Regardless of the motivation behind the attack, ultimately, it is those OEMs producing products lacking even basic security that are mostly to blame.
About the author
David West is the Engineering Director of Icon Labs, a provider of security software for IoT and embedded devices. Icon Labs is focused on creating The Internet of Secure Things by providing a security from for even the smallest IoT devices. You can reach David at firstname.lastname@example.org