How can anomalous IoT device activity be detected?

An estimated 25 billion IoT devices are expected to be among us by 2025, contributing to $1.1 trillion in industry revenue (data according to a recent study by GSMA). Given the continually increasing prominence of these devices in our lives and their ever-wider capabilities, ensuring their security and proper behavior should be a critical concern for IoT users and manufacturers alike — should being the operative word at the moment.

Web-connected devices in our homes and workplaces help us control more aspects of our lives by the day, with many including microphones and cameras that see and hear everything we do. Considering the risks these features could represent, though, it’s an immense vulnerability that most — especially lower-end — IoT devices on the market today feature little or no security measures at all. The IoT market has been much more interested in delivering user-desired features at low price points.

But as headlines continue to remind us, IoT devices can and do get hacked regularly, and the consequences are severe. The news is rife with creepy stories of IoT-based spying in home and corporate environments, and seemingly endless instances of the damage inflicted by massive botnets built from high quantities compromised IoT devices, which can take companies and even major internet infrastructure offline through powerful distributed denial-of-service attacks.

The good news is that even where IoT devices provided no embedded security from the manufacturer, it’s still possible to ensure that they’re secure and operating in an uncompromised network environment. Through a dynamic approach to IoT device discovery, profiling and anomalous activity detection, devices should be monitored for proper behavior, and those that show signs of having been interfered with can have that behavior mitigated and security issues eliminated.

The first stage in this strategy is to recognize what devices are connecting to routers at the local network level. Given the scope and nature of the IoT ecosystem — where the countless devices we all carry may attempt to connect to local networks as we happen to pass by them — it’s now impossible to know or keep track of all the devices connected to our networks by manual means. The task of vetting the behavior of all devices is more challenging still.

Dynamic IoT device discovery and profiling, which can be situated to view all inbound and outbound network traffic by including a module within routers, gateways, UTMs and other network devices, is the process of identifying any device that connects to the network down to its specific make and model. It’s a strategy that can work for nearly any connected device within a household or business by studying all seven layers of the OSI model that comprises a unique fingerprint for each device and then supplementing this knowledge with a database of recognized IoT device profiles. Where devices utilize organizationally unique identifiers (OUIs) — which is more often the case with brands with a narrow product line — profiling usually will take less than a minute once the device joins the network. In cases where device OUIs cover several device types, a profiling strategy will utilize port scanning, protocol analysis and other such higher-level detection techniques to complete identification within minutes.

With each connected device on the network accurately identified, anomalous activity detection is capable of monitoring behavior in order to continuously verify that devices are carrying out their duties as expected. If a device begins making suspicious connections or exhibiting abnormal behavior outside of its normal operations, you’ll have a pretty strong indicator that the device may be compromised and engaged in malicious activity. It may also be the case that the device simply requires a software update or, worse, that it’s under direct control of an active attacker. But by recognizing these anomalies in real time, the worst behavior can be neutralized before crippling harm is done. Anomalous activity detection can also identify vulnerable (but as-yet-unhacked) devices, such as those IoT devices with weak security measures that need a closer look.

If looking at this strategy for network safety, ensure that the criteria used to inform anomalous activity detection is updated continually to keep pace with natural shifts in device usage and behavior. In the same way, these detection technologies are designed to feature the scalability needed to handle the growing number of devices on networks, especially as IoT adoption swells. With dynamic IoT device discovery, profiling and anomalous activity detection in place, the challenge of protecting networks can be much more effectively overcome (even if device manufacturers aren’t helping out much on their end).

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.