StarHub Attack Raises IoT Security QuestionsVolume of Infected Devices, Lack of IoT Standards Are Cause for Concern
Security experts are concerned that there may be millions of infected internet of things devices, given the intensity of recent distributed denial-of-service attacks such as the one that hit Singaporean ISP StarHub last week (see: DDoS Attacks Also Slammed Singapore ISP's DNS Services).
Investigations continue to determine whether any links exist between the StarHub attacks and previous Mirai botnet assaults that hit DNS service provider Dyn on Oct. 21. The perpetrators and motives as yet remain unknown (see: Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
More such attacks can be expected unless IoT device security is ramped up and standardization enforced. An attack this severe means millions of connected devices may now be outside the control of the original owners, says Pierre Noel, chief security and privacy officer at communications technology vendor Huawei. For instance, in the case of the Dyn attack alone, in a blog post following the attack, Dyn shared analysis that it had observed "tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
DDoS affects two categories of users: the targets and the owners of the devices used to launch the attack. "Let's make no mistake: The problem for me is not so much DDoS on the receiving end - DDoS attacks are very well known, not very sophisticated in their nature, and can be deflected reasonably easily," Noel says. "The problem is those millions of devices that are infected, and therefore controlled by the 'bad guys.'" He says this will affect societies like Singapore that are experiencing a pervasive use of internet and technology.
Following close on the heels of the Mirai botnet DDoS attack on DNS service provider Dyn, Singaporean ISP StarHub was hit by two separate DDoS attacks that affected its DNS services for several hours, bringing down its home broadband service. In a statement, StarHub said it was able to mitigate the attacks within hours and restore services on both occasions and blamed the attacks on malware-infected IoT devices owned by customers. StarHub confirmed in a follow-up statement that it would send technicians to help customers secure these devices.
However, Michael R. K. Mudd, managing partner at Hong Kong-based Asia Policy Partners, says the problem cannot be blamed on the consumer if they are buying products in good faith. StarHub shifting blame to their customers will not prevent it from happening again; customers buying a device or using a service have the reasonable expectation it will be safe, he says.
"It reminds me of Ralph Nader's expose of the 1960s U.S. car industry that were making cars the way they always had without making them safe for the new high speed freeways that had just been built. It was not the consumer's fault they were poorly engineered," Mudd says.
Mudd says he believes that a core requirement for IoT to gain widespread acceptance is that manufacturers need to build devices that are secure by design, and can be updated automatically whenever the device connects to the internet - seamlessly and without human intervention. There is a need today for a standardized enforcement mechanism for IoT - or indeed any connected device, he says (see: IoT: How Standards Would Help Security).
IoT: Security Nonexistent
Aloysius Cheang, executive vice president and managing director APAC , of the not-for-profit industry group Cloud Security Alliance, agrees that security on IoT devices is nonexistent. "The CSA had predicted this new attack vector two years ago," he says. "With number of smart devices set to hit 15.7 billion by 2018, the traditional vectors via mobile and PC combined at 10.4 billion, will pale by comparison," Cheang says, citing the 2016 Ericsson Mobility Report. "We are going to see a tsunami of attacks with similar footprint, and we are all going to be collateral damage."
While the StarHub incident may have only affected IoT devices in households, Cheang says that as connected devices increasingly find use in the enterprise, the threat will become much more relevant to enterprises. Besides, he says, many of these consumer devices such as televisions and refrigerators can also be found in offices today.
Raise Security Visibility
Tom Wills, director at Singapore-based Ontrack Advisory, agrees, saying: "More such attacks can only be expected to continue in the future, and no country on earth is immune. The StarHub incident highlights the global nature of cyber threats against operators of critical infrastructure services."
While security readiness across Asia against DDoS, data breach and other key threats varies greatly by country, in general a high state of readiness is only developed after a major incident has taken place, he says. This results in a far more costly program of security controls than would be necessary had a proactive approach been taken.
Wills advises that practitioners build adequate defenses proactively, through an continuing process of risk assessment, vulnerability scanning and penetration testing, and deployment of comprehensive enterprise security controls in line with global standards such as COBIT and ISO 27001.
"Most security practitioners are already well aware of this: The issue they face is a lack of adequate funding and top management support for their programs, without which strong security to prevent, detect and respond to the kind of incident that StarHub suffered is very difficult to put in place," Wills says, adding that security professionals should work to raise the visibility of security issues to the top management - in business terms, not technical terms.