The internet has been recovering from high profile DDoS attacks on Friday that took down Dyn (the DNS provider to Reddit, Spotify, SoundCloud and a multitude of other sites). In the media, the blame for this attack has been firmly placed on IoT devices and as a supplier of connectivity to IoT and M2M devices, we are keen to share advice on how devices should be secured.
The following methods and tactics have been developed from our experience and if used, should prevent the IoT devices from becoming infected with the Mirai malware.
Beyond the altruism of protecting others (and yourself) from potential DDoS attacks, securing your device and connectivity delivery will also improve the device in the following ways:
- Data delivery success rate
- Prevention of costs from malicious use
- Securing your brand reputation
- Ensuring your IP addresses are not blacklisted
- Unique username and passwords
As a manufacturer or designer of a connected device you cannot rely on the end user securing the device for you. Setting a unique username and password in the factory is the bare minimum, preferably you should insist these are changed when the device is first powered on (whether this is completed by the end user or remotely by the management company). A mistake common in the compromised devices was that the web interface username and password were separate to the command line versions; even the most security conscious end users wouldn’t have been able to secure the devices.
- Protect your device
The device should run a number of monitoring functions that look for potentially malicious interactions from unknown IP addresses. This will prevent a bot from trawling the internet and repeatedly trying to guess the username and password. The device needs to be regularly updated and its security analysed. Leaving a device unsupported for any length of time raises the potential of the device being compromised.
- Protect your server
If you run your own server (not cloud based) ensure the server is correctly maintained and secured. At the device level ensure the data from your devices is recognisable and as difficult to spoof as possible. This can be achieved in a number of ways, for example, a secure VPN from device to server and encrypting the packets or locking down the addresses that send to the server.
- Understand the complete chain of communication with your devices.
Work with your connectivity supplier to log all communications paths and understand the dependencies. Installing a secure VPN tunnel to your datacentre is helpful, but do the devices also have an external dependency? Test a subset of devices by removing their ability to access certain services. Do they fail? Do they fail gracefully? And do they recover without needing human intervention?
- Connectivity security is crucial
While IoT/ M2M devices are in their infancy, stories like the Dyn DDoS are likely to continue. However, security must remain a key element of the deployment strategy and currently does require additional time and resource, particularly to deploy at scale.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.