Recently, MSPs have been getting urgent calls from clients reporting that wireless printers, security cameras, and remote sensors are not working. Others skipped the calls to their MSPs and just bought new devices, thinking there had been a hardware failure.
The culprit was Silex, the creation of a 14-year-old hacker. However, the consequences of a Silex attack are much more significant than teenage hijinks. The result is a bunch of IoT devices that don’t work and can grind business to a halt.
The good news is that Silex is preventable. The bad news is that the Silex attack highlights the vulnerabilities of IoT devices as they become more common in the workplace. The Silex attacks may get even worse, according to the malware’s teenage author.
For more on Silex and IoT security in general, Smarter MSP caught up with the Hawaiʻi – West Oʻahu Information Security and Assurance faculty. The university was recently ranked in the top 3 percent of cybersecurity programs by a leading firm.
What can an MSP do to protect against brute force attacks on IoT devices?
Silex malware targets specific types of IoT devices. In the case of Silex, the ability to exploit IoT devices was a configuration oversight, as opposed to a technical vulnerability. Login credentials were not changed from their default setting, resulting in unauthorized access to the IoT device.
This type of attack identifies the threats that exist for remote access administration of IoT devices. The Silex malware was able to delete network configurations, terminate network connections, overwrite attached storage media using system generated random data, and reboot the IoT device, rendering it inoperable.
In addition to adhering to accepted security practices, there are opportunities to establish organizational technology investment strategies that involve minimum security requirements for IoT devices and technologies, such as secure boot process, secure software update, firewall, authentication, and encryption capabilities.
Brute force attacks targeting IoT devices represent an effective attack methodology that is relatively simple to implement and gain unauthorized access using default or commonly selected authentication credentials.
Silex is disabling #IoT devices as IoT’s growth becomes a both a #CyberSecurity challenge and an opportunity for #MSPs
There is no single method that offers absolute protection against these types of attacks, but an evaluation of the scope and access of IoT devices and services combined with the implementation of established configuration and security practices will provide an increased level of protection. An additional recommendation involves the review and adoption of applicable best practices, standards, and specifications to improve the security and integration of IoT devices and services.
To protect against a brute force attacks on IoT here are some additional steps:
- Limit and control the number of attempted logins to the IoT software.
- Require the default password to be reset and changed to a complex, long password to access the software
- Limit the number of login attempts within 30 minutes
- Block an IP for a length of time after a certain amount of failed logins
- Multi-factor authentication
- Locking an account after a certain number of failed attempts
- Recording all login attempts and limiting which IP addresses can log in to the IoT device.
Biggest threats to IoT devices and how to defend against them
A major overall threat to IoT devices in enterprise and office environments is distributed denial of service (DDoS) attacks. There have been instances of DDoS attacks targeting IoT devices that caused significant impact on business systems and operations.
Physical access represents a substantial risk for specific IoT systems and sensors. In the absence of tamper-resistant technologies, these devices may be vulnerable to compromise using direct access methods.
Standardize a process to evaluate, select, and deploy IoT devices on the network. Determine the requirements for an IoT device and ensure it meets the organization’s objectives. Your vendor management process should include ensuring the manufacturer is financially stable, maintains an information security program, and has a history of maintaining the software on the IoT devices for years after sale.
Only deploy IoT devices the organization has formally approved, place them in their own segregated network to limit their access to the rest of the network, and block all other IoT devices on the organization’s network. Configure your security monitoring tools to monitor attacks against IoT devices. Finally, continuously monitor the network to ensure only authorized IoT devices are on the network, have the latest software, and are securely configured.
The quantity and diversity of IoT and other connected devices represent a significant security challenge. Information technology and security professionals should consider existing practices and procedures designed to the limit risks associated with untrusted devices such as device registration, secure authentication, network segmentation, firewall configuration, and port and protocol monitoring.
There is no one method that offers complete protection against brute force #IoT attacks, but an evaluation of IoT devices, combined with best practices, will provide increased protection.
A significant number of IoT devices utilize wireless communication technologies that introduce additional security and risk considerations. The importance of user security awareness and education relating to IoT should be emphasized as an essential consideration in addition to technical options for the development of a comprehensive security strategy.
Photo: MyCreative / Shutterstock.