Cyber attacks targeting IoT (Internet-of-Things) devices are rapidly increasing, as more people and organizations deploy them. IoT devices that are connected to the Internet but do not have a password set, or are often operated with the initial settings, are likely candidates to be targeted next. Various incidents have already occurred, some of which were already featured in this website, proving the point that security measures covering IoT devices are urgently needed. A typical network of enterprise systems has security measures in various layers such as firewalls, IDS / IPS (Intrusion Detection System/Intrusion Prevention System), and anti-malware. However, IoT devices are often connected unprotected to the Internet, at worst it opens ports on the firewall using UPnP (Universal Plug and Play). This adds vulnerability which in the first place should not the case, if only hardware vendors do not prioritize convenience by default at the expense of security.
Some IoT devices used in critical infrastructure have insufficient security measures. Such IoT devices are good targets for malicious cyber attackers. Therefore, the phenomenon that IoT devices become infected with malware has been rapidly increasing in recent years. Why are IoT Devices Targeted? Although IoT devices are limited in function and performance, there is a possibility that developers can use them unintentionally or not. Moreover, unlike corporate systems, they do not monitor operations and have a long life cycle.
Although IoT devices vaguely imagine what consists only of sensors and communication modules, many IoT devices are computers themselves. It has a CPU and memory, and an application that implements the functions of each IoT device is listed on the OS. And a Web server and a Telnet server for controlling from outside via the Internet are operating.
The problem is with this web server or Telnet server. These are, of course, protected by a username and password, but they may be used without changing the initial settings. For example, there are numerous IoT devices that were deployed with default ID/password, usually with username: “admin” and password:”admin”, but if you use this as it is, you do not know what the ID/password is. Therefore, it is very easy for unauthorized login to succeed, and in a short time, it gets infected with malware and is used as a springboard for attacks.
Such large-scale incidents of malware infection have already occurred, and damage has been reported. One of them is malware called “Mirai.” When this malware infects an IoT device, it acts as downloading bots from a command and control server while searching for the next infection destination. The bot waits for instructions from the command and control server and participates in DDoS (Distributed Denial of Service) attacks, such as sending a large number of HTTP requests and UDP packets, for example. With Mirai, the number of infected IoT devices is huge enough to easily bring down targeted site services.
IoT devices with insufficient security measures may cause not only malware infection but also information leakage. Although this system is a system to monitor via the Internet, it was ready to access the management screen. It is said that the facility’s name and operation status were viewable on the management screen.
So how should IoT device security measures be done? For IoT devices that are already in circulation, it is necessary to at least disable the default ID/password or stop the Web server and Telnet server services. In some cases, it may be necessary to obtain and apply the latest firmware version from the manufacturer. IoT devices that have already become infected are immediately removed from the network, and the system is initialized. For older IoT devices that do not have recovery measures, replacing them with new ones is the best solution.