The National Cybersecurity Center of Excellence (NCCoE) has published a preliminary draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD),” and is seeking public comments.
The popularity of IoT devices is growing rapidly, as are concerns over their security. IoT devices are often vulnerable to malicious actors who can exploit them directly and use them to conduct network-based attacks. SP 1800-15 describes for IoT product developers and implementers an approach that uses MUD to automatically limit IoT devices to sending and receiving only the traffic that they require to perform their intended functions.
In order for IoT devices to behave as intended by the manufacturers of the devices, a standard way for manufacturers to identify each device’s type must be provided and the network communications that it requires to perform its intended function must be identified. When MUD is used, the network will automatically permit the IoT device to perform as intended, and the network will prohibit all other device behaviors.
NCCoE has demonstrated for IoT product developers and implementers the ability to ensure that when an IoT device connects to a home or small-business network, MUD can be used to automatically permit the device to send and receive only the traffic it requires to perform its intended function.
The term IoT is often applied to the aggregate of single-purpose, internet-connected devices, such as thermostats, security monitors, lighting control systems, and smart televisions. The IoT is experiencing what some might describe as hypergrowth. Gartner predicts there will be 20.4 billion connected IoT devices by 2020 compared with 8.4 billion in 2017, while Forbes forecasts the market to be $457 billion by 2020 (a 28.5 percent compounded annual growth rate). As connected devices become more commonplace in homes and businesses, security concerns are also increasing. Many full-featured devices, such as web servers, personal or business computers, and mobile devices, often have state-of-the-art security software protecting them from most known threats. Conversely, many IoT devices are challenging to secure because they are designed to be inexpensive and to perform a single function—resulting in processing, timing, memory, and power constraints.
A distributed denial of service (DDoS) attack can cause a significant negative impact to an organization that is dependent on the internet to conduct business. A DDoS attack involves multiple computing devices in disparate locations sending repeated requests to a server with the intent to overload it and ultimately render it inaccessible. Recently, IoT devices have been exploited to launch DDoS attacks. IoT devices may have unpatched or easily discoverable software flaws, and many have minimal security, are unprotected, or are difficult to secure.
Use of MUD combats these IoT-based DDoS attacks by prohibiting unauthorized traffic to and from IoT devices. Even if an IoT device becomes compromised, MUD prevents it from being used in any attack that would require the device to send traffic to an unauthorized destination.
The consequences of not addressing security concerns of connected devices can be catastrophic. For instance, in typical networking environments, malicious actors can detect and attack an IoT device within minutes of it being connected and then launch an attack on that same device from any system on the internet, unbeknownst to the user. They can also commandeer a group of compromised devices, called botnets, to launch large-scale DDoS and other attacks.
This Mitigating IoT-Based DDoS Project demonstrates an approach to significantly strengthen security while deploying IoT devices in home and small-business networks. This approach can help bolster the resiliency of IoT devices and prevent them from being used as a platform to mount DDoS attacks across the internet.
The NCCoE sought existing technologies that use the MUD specification to permit an IoT device to signal to the network what sort of access and network functionality it requires to properly operate. Constraining the communication abilities of exploited IoT devices reduces the potential for the devices to be used in attacks—both DDoS attacks that could be launched across the internet and attacks on the IoT device’s local network that could have security consequences.
The practice guide explains how to effectively implement the MUD specification for MUD-capable IoT devices, and it envisions methods for preventing non-MUD-capable IoT devices from connecting to potentially malicious entities using threat signaling technology. Organizations’ information security experts should identify the products that will best integrate with their existing tools and IT system infrastructure.
NCCoE is seeking feedback on its draft practice guide, which it will use to help shape the next version of the document. Comments should be submitted by June 24.