Weak IoT Defenses Fueling DoD Security Challenges

A recent study showing just how easy it is to hack into Internet of Things (IoT) devices–and to use that access to gain entrance to a larger network–focused on commercial products used in the home. However, it could serve as yet another wake-up call for the Department of Defense and other government agencies that are increasingly relying on IoT.

DoD, after all, is expanding its use of commercial IoT devices as part of its networks. Its use of drone aircraft, ground sensors, wearable devices, cameras, smartphones, tablets, and other information-sharing tools is only growing, to the point where the Army is working on a framework for the Internet of Battlefield Things. The department’s security policies for the IoT, however, have so far lagged behind deployment.

The most recent study, by cybersecurity researchers at Ben Gurion University of the Negev (BGU), said it was “frightening” how easily they could hack into home security cameras, thermostats, baby monitors, and even doorbells. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat, and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” Dr. Yossi Oren, head of the university’s Implementation Security and Side-Channel Attacks Lab, said in reporting the results.

The weak links in BGU’s research were device passwords, which often are preset by the manufacturer and then ignored by users. In most cases, researchers found passwords in 30 minutes by Googling the brand, and found that different brands of the same products share the same passwords. After gaining access to one device, they could then take control of others–building a network of remote controlled cameras, for instance–or gain network access via Wi-Fi connections.

BGU’s results echo those of other researchers, such as BullGuard’s Tossi Atias, who last year demonstrated how he could hack into an ostensibly secure home by easily compromising IoT devices. IoT hacking, which also can be used in distributed denial-of-service attacks, has been on the rise for several years.

“Symantec established an IoT honeypot in late 2015 to track attack attempts against IoT devices,” the company said in its 2017 Internet Security Threat Report. “Data gathered from this honeypot shows how IoT attacks are gathering steam and how IoT devices are firmly in the sights of attackers.” Attacks on the honeypot almost doubled from January to December 2016, with the hourly average of unique IP addresses were hitting the honeypot going from almost 4.6 every hour in January to just over 8.8 in December. During peak activity of the Mirai botnet, attacks on the honeypot were taking place every two minutes.”

Home vulnerabilities are scary enough, with Gartner predicting 21 billion IoT devices in use by 2020, but DoD also has reason to be concerned–not least of all because it makes use of commercial products. The recent revelation that fitness tracking devices could be used to display the locations of military and national security personnel is just one example. A Government Accountability Office (GAO) report last year detailed the risks of connected devices, and said DoD’s policies on managing the IoT weren’t enough to handle the dangers.

Many IoT devices such as cameras, wearable monitors, and smart televisions typically have a spare amount of encryption and a limited capacity to handle upgrades or patches which can affect their security, GAO said. That limited security makes them vulnerable to both hacking and insider misuse. Meanwhile, responsibility for IoT security is dispersed among the DoD CIO; the assistant secretary of Defense for Energy, Installations and Environment; the undersecretary of Defense for Intelligence; and the Defense Information Systems Agency (DISA), to name a few offices.

GAO found that DoD’s policies also don’t cover data sharing via third-party apps that are added to devices, and needs to expand its cybersecurity best practice policies specifically to IoT devices.

The department hasn’t ignored IoT security, the report said, noting that DoD has already identified numerous IoT risks, and conducted some assessments with regard to infrastructure and intelligence assessments. But a more comprehensive, adaptable set of policies is needed.

DISA’s Security Technical Implementation Guides (STIGs) also enforce security by setting configuration standards for network and wireless devices, along with operating systems (including mobile operating systems), database apps, open-source software, and virtual software.

The National Institute of Standards and Technology (NIST) just released an interagency report recommending international standards for IoT devices, from consumer devices and health care processes to energy management and connected vehicles.

One thing to keep in mind is that securing the IoT, considering the ubiquity and variety of its components, isn’t quite like securing other systems. “Through analysis of the application areas, cybersecurity for IoT is unique, and will require tailoring of existing standards, as well as, creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety,” the report said.

Recent