It has been proven beyond a doubt that the internet of things is a risk for organizations large and small. From connected surveillance cameras to HVAC controllers, smart devices can be easily leveraged for nefarious purposes — most recently to power some of the largest distributed-denial-of-service attacks such as the recently devastating Mirai botnet threat.
But so far we’ve only scratched the surface of these troubles. The problem extends beyond simply aiming enslaved mindless devices at a given target to simply create a service outage. IoT attacks will get more sophisticated. They can and will become points of entry into sensitive networks and gateways to exfiltrate sensitive data.
Until recently, security concerns around IoT were heard, but not acted on. Fortunately, that’s beginning to change.
The IoT security difference
Staying on top of IoT device security is particularly important for three reasons: IoT increases the attack surface of a given network, can exist in networks without updates for a long time and, more often than not, these devices are developed by companies that manufacture them without enterprise-grade security in mind. When combined, all of these factors make a recipe for disaster.
Understanding why IoT devices incur such risk is actually quite simple. For one, most IoT devices are created with the average consumer in mind and do not meet industry standards for security. Take smart TVs for instance — virtually every corporate conference room has a TV that is connected in some manner (e.g., video conferencing technology). However, these consumer-first TV sets can become a gateway for attackers because they lack enterprise-grade compliance requirements and their firmware and configurations are not as hardened as they should be.
Further, the workforce can introduce this kind of insecure, smart technology without letting IT know via mobile, wearable and other kinds of embedded devices. Not to mention the tens, if not hundreds, of devices that are networked and likely not seen by traditional security and visibility methods. The fact that all these devices could comprise the network but are not well tracked also means the traditional perimeter is gone and old methods of protection focused on walling off a given network are obsolete. For example, smartwatches with built in Wi-Fi connections are often able to log on to the same networks as their connected phones automatically without letting their users know.
How these devices are hijacked
Understanding why IoT devices generate risk, let’s see how it can be exploited. A very realistic scenario of a compromise is leveraging IoT for corporate espionage. All it takes is downloading a malicious app to a smart TV to be compromised. It’s been proven that hijacking a smart TV for these purposes is not an impossible feat and even manufacturers are tapping into their TVs to learn about consumers. If manufacturers can listen in, hackers can hijack the same mechanism. It’s frightening to imagine a compromised TV, which is integrated with video calling capabilities, being hijacked and used for eavesdrop on sensitive board meetings or to conduct IP espionage.
IoT devices could also become a stepping stone — entry and exit — for hackers looking to infiltrate a network. For instance, HVAC systems are not always updated and can be an easy target for hackers. But as the infamous Target breach proved, lateral movement can lead to disastrous results if a hacker makes his way from a connected device to a sensitive system on the same network. No one wants to be the victim of the same.
Shoring up defenses
Fortunately, there are immediate steps that can be taken to reduce the risk of a breach through IoT. Begin with building out comprehensive visibility. Keep in mind that although discovery of your IoT devices is critical, you can’t get a holistic picture by just looking at domains and IP addresses (i.e., static log analysis). But often, IoT devices are sharing infrastructure with other services — AWS, CDNs, etc. — so seeing additional metadata like URLs and headers is crucial.
Device communication is also important to monitor. SSL encryption can present a huge irony in this process in that the same measure used to protect sensitive data can be used to hide malicious activity. You can’t discern what encrypted packets are really carrying into your network until it’s decrypted. But this issue can be overcome by leveraging monitoring tools that can decrypt deeply inspect encrypted data. Traditional methods of security like blocking malicious URLs and files, inline endpoint protection, deep content inspection and sandboxing should also be applied.
Ultimately, the wave of IoT is unavoidable, but you don’t have to be at its mercy. Take a comprehensive approach to security. Ensure visibility of devices and communication and be aware of the all the smart devices and their activity in your network. Fail to do so and you’ll regret it.
Some key questions to ask in order to protect your network from IoT-based threats:
- Can devices join your network without permission?
- Do you know how many devices are on your network at any given time?
- Can devices on your network download untrusted applications?
- What level of permissions do your devices have?
- Can you read all traffic to and from connected devices on your network?
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.