Can Banks Protect Against the Threat of Everyday Devices?
There's a lesson for banks in the cyberattack that took down PayPal, Netflix, Facebook, and other sites for hours — and it's not just "have a backup domain name system provider."
Hopefully every bank already has that part covered (so that if their main DNS goes down as Dyn did, they can quickly switch over). The less obvious moral is: pay more attention to internet-connected devices like printers, security cameras and point-of-sale terminals. They're often lightly protected and can be easily broken into and harnessed in botnets like the one that brought down Dyn. They can also be used as backdoor for malware to access your entire network.
Banks have particular reason to be concerned because of the value of the data they secure, including customers' personal data and account information. And a handful, including U.S. Bank and Citi, have been experimenting with the use of internet-connected beacons for payments and identification, which will be appealing targets for hackers. (Both of those banks declined requests for interviews.)
In the cyberattack last week, 493,000 internet-connected devices were recruited by a botnet called Mirai to act as its cyber-army and flood Dyn's servers with data requests, causing hours-long outages. The devices were mostly webcams, printers and DVRs. Some were made by a Chinese manufacturer, Hangzhou Xiongmai, which announced on Monday that it will recall millions of cameras sold in the U.S. in response to the DDoS attack against Dyn.
But the problem extends far beyond one manufacturer. Like a car thief trying to open a door on each vehicle in a parking lot, the Mirai source code scans the web for devices from manufacturers including Toshiba, Samsung, Panasonic, Xerox, and RealTek to see what it can break into. Any device can be targeted.
"Anything that has an IP address assigned to it and is connected to internet can be used," said Austin Berglas, head of cyber defense at the consulting firm K2 Intelligence and former head of the FBI's New York cyber branch.
"It can collect data, it can disseminate data — these are things people don't think about when they install a new network printer inside their organization. Most people are concerned about, how can I access that from my desktop? Is it networked correctly?"
Every internet-connected device expands a company's attack surface and should be protected at the same level as a desktop computer, Berglas said.
"If an IP address is connected to internet, it's a vulnerability," he said. "If a printer has an unpatched vulnerability, a bad guy can exploit that printer and navigate through and into the corporate network."
Security blogger Brian Krebs has noted that although devices connected to the Internet of Things usually operate behind wired or wireless routers so they can't be directly reached over the web, "many IoT devices will use a technology called Universal Plug and Play that will automatically open specific virtual portholes or 'ports,' essentially poking a hole in the router's shield for that device that allows it to be communicated with from the wider Internet."
This is not a brand-new problem, noted Jerry Dixon, chief information security officer of the cybersecurity firm CrowdStrike, but it's a rapidly scaling one.
"Back in the late 90s I dealt with copiers and printers that were IP enabled, and phone PBX exchanges being compromised and used to gain access to networks," said Dixon, who until recently served as vice president, cyber threat intelligence and incident response at American Express. "Then you fast forward to today, our DVRs, TVs, just about everything is getting an IP address and there's not a lot of security built into those products, so it's easy to commandeer them to carry out DDoS attacks like we saw last week. It's a huge problem. They could quickly turn and use that against any organization."
People have become a little too cavalier about internet-connected devices, said Adam Levin, author of the book "Swiped" and chairman and founder of IDT911, a cybersecurity firm.
"I don't know if we've properly adjusted to the new paradigm: breaches have become the third certainty in life after death and taxes," he said. "Everywhere you turn, whether it's governments, businesses, consumers, media operations, you see instance after instance of hacks, people making mistakes, people not taking seriously the need to customize the passwords that come with all of these devices."
Levin was referring to a key flaw in the devices used in this attack: they came with a factory default password that the user could not change and that hackers could easily find or guess.
There are 6.4 billion IoT devices in the world today and that number will grow to more than 20 billion by 2020, the research firm Gartner predicts.
"All these devices are tracking, gathering information, presumably to send it back to the manufacturer in order to improve and enhance the customer experience," Levin said. "Unfortunately it becomes a very bad customer experience when you realize your favorite websites have gone down."
Banks and other businesses need to take several precautions to secure their internet-linked devices.
They could ask their manufacturers and resellers for better security, noted Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research.
If the manufacturer provides only a default user name and password, it needs to provide a way to change it. It goes without saying the new password needs to be strong. Having "admin" for a user name and password is not ok — this is often the first combination hackers try. (This is how hackers broke into Target's POS devices, through its HVACprovider, to steal credit card information.)
Better password habits in general would also be helpful, Berglas noted.
"We still have financial institutions where the system admin uses the same password for his organization's firewall as he does for his LinkedIn account," he said. "We still have companies that house passwords in a file that's labeled 'passwords' in clear text in a database that houses critical information. I think the way to look at it is not just this specific attack that focused on devices like video cams and video recorders that had default passwords, but about basic, ground-level cybersecurity health and hygiene."
System administrators, like everyone else, tend to reuse passwords because they don't want to have to remember dozens of different ones.
"The bad guys know that and exploit it," Berglas said. "They're looking to gain access into a financial institution where they've targeted someone in the organization and spear phish that person and get their user name and password."
The manufacturer should also be committed to immediately patching any security vulnerability it finds. Levin cited the principles of privacy by design and security by design, popularized by Ann Cavoukian, the former information and privacy commissioner of the Canadian province of Ontario.
"When you create a product or service, privacy and security is built into its core and it could be something as simple as, you have to put in a password in order for this thing to work," Levin said. "Businesses need to think about not only if they're going to use these things but how they customize them as quickly as possible with a password."
Once installed, traffic to and from the device should be watched closely for any signs of strange behavior that could indicate it's being used in a DDoS attack or for reconnaissance. "This is something companies should be doing anyway because these devices are collecting information about their business," Pascual noted.
A related risk is that a third-party provider with careless IoT policies could get hacked, and the perpetrators could use that as a conduit into the bank or to sensitive information like credit card data.
"There has not been proper attention put on this," Levin said.
Companies need to also be careful about their work-from-home and bring-your-own-device policies, which similarly tend to be less secure, giving hackers a possible route to sensitive information.
"Whether it's the hack you'll read about tomorrow or DDoS attacks, it boils down to a lot of the same best practices," Berglas said. "Dyn was attacked by a malware strain whose source code was released and available to the public. Could it have been stopped if people practiced better hygiene and didn't accept default passwords and changed their passwords?"
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.