Endpoint security continued to dominate headlines throughout April, as technology experts and government officials are struggling to keep pace with emerging cyber threats and new firmware vulnerabilities in internet of things devices. The lack of movement in the IoT manufacturing sector has forced governments and regulatory agencies around the world to ramp up their advocacy for endpoint security standardization, but progress has been slow. This month’s tech roundup spotlights a recently identified security flaw with major repercussions and discusses some of the regulatory actions that will impact endpoint management in the years to come.
Millions of IoT Devices Impacted by P2P Vulnerability
In late April, security researcher Paul Marrapese released his analysis on a newly discovered security flaw in iLnkP2P, a peer-to-peer communications technology built into millions of consumer and small business electronics. In total, Marrapese identified over 2 million vulnerable devices that use the unsecured P2P software from more than a dozen distributors, including HiChIp, HVCAM, VStarcam, Wanscam and SV3C. While a vast majority of the affected electronics are located in China, around 19% are actively deployed in Europe and 7% in the U.S.
The P2P vulnerability allows hackers to gain access to a wide range of common IoT devices, including security cameras, smart doorbells, digital video recorders and even baby monitors, exposing users to eavesdropping, identity theft and remote infiltration, Krebs on Security reported. iLnkP2P permits end users to access their devices remotely using a mobile app, without the need for complicated firewall configurations. However, the software does not feature any authentication or encryption protocols, which allows malicious actors to easily establish a direct connection. What’s more, many users forget to update their device credentials and personal settings before using their IoT electronics, meaning they’re protected by only default usernames and passwords.
Marrapese has issued several direct advisories to device vendors and iLnkP2P’s developer, the China-based Shenzhen Yunni Technology, but has not received any reply. This lack of response prompted Marrapese to contact the CERT Coordination Center about the P2P software’s vulnerabilities, though the nonprofit is not able to provide any long-term solutions without the cooperation of the developer.
NIST Releases Draft Guidance for IoT Security
On April 26, the National Institute of Standards and Technology released the first draft of a practice guide that offers IoT device manufacturers a series of recommendations for improving endpoint security. While the guidance document, named “Securing Small-Business and Home Internet of Things (IoT) Devices,” is not legally binding, the NIST hopes that it will help mitigate the risks of network-based attacks through greater standardization and improved data transmission security. Currently, no federal standards governing the distribution of IoT electronics or that establish basic cybersecurity rules that manufacturers must uphold.
The bulk of NIST’s draft document discusses the potential value of implementing a manufacturer usage description architecture, which would restrict IoT devices from sending or receiving traffic that is not directly related to their intended functionality. This could prevent hackers from hijacking consumer electronics for use in large-scale DDoS attacks, such as those carried out by the Mirai botnet in 2016. These organized cyber assaults leverage unprotected IoT devices to flood a system or network with more traffic than it can handle, taking key servers offline and causing significant downtime. The largest DDoS attack to date was launched in February 2018 against GitHub, an online code management service, which received 1.3 terabytes of incoming traffic per second, according to Cloudflare.
If implemented, the manufacturer usage description architecture would offer a standardized method for identifying every consumer device and the network communication protocols they need to perform as intended. A user’s home or business network would permit or prohibit certain device behaviors based on their specified type. Most full-featured electronics come equipped with security software that executes similar processes, but IoT devices are designed with limited functionality to reduce product costs and energy consumption. NIST is accepting public comments on its draft guidance until late-June 2019, giving developers plenty of time to express their concerns and offer additional recommendations.
Washington Legislature Passes Data Breach Notification Law
As data breaches become increasingly common (and damaging), government officials have started leveraging their legislative authority to hold organizations accountable for their cybersecurity practices. A bipartisan group of Washington lawmakers recently passed a new bill that expands existing data breach notification requirements and forces organizations to alert consumers within 30 days of a security incident. The goal is to promote greater transparency following large-scale security breaches that expose sensitive consumer information, which now includes full birth dates; usernames and passwords; biometric data; and identification numbers for health insurance, passports, military personnel and college students.
According to the National Conference of State Legislatures, all 50 U.S. states have enacted some form of legislation that requires private and governmental organization to notify individuals following a data breach, but the standards differ on a state-by-state basis. The bill passed in Washington suggests that lawmakers are in the process of tightening existing guidelines to keep pace with the complex cyber threat landscape.
That concludes this month’s tech round-up, so be sure to check out Faronics’ blog to learn more about endpoint security and important trends in the industry.