A couple of years ago, an employee was fired from a position with a large food retailer in the United States. This event might have gone unnoticed had it not been for the fact that this disgruntled employee decided to get even.
He knew the password to the organization’s wireless network and could easily connect with it. Once connected to the network, he simply changed the temperature of the refrigerators. This simple action resulted in the destruction of food inventory to the tune of hundreds of thousands of dollars. No sophisticated knowledge was required to perform this hack, as the employee had the keys to the kingdom.
Imagine if something like this were to occur at a hospital, an urgent care facility or at a government institution. What if the hacker knows what he is doing and can gain full access to the organization’s network, including more sensitive sections and endpoints? What if she can do more sophisticated cyber-offences, such as planting ransomware, stealing intellectual property or gaining access to people’s private information as in some attacks that we have heard of in the last few years? Thankfully, many organizations have protocols to change passwords periodically or measures built-in with their HR termination policies.
Recently, a major security breach was discovered in hospital and supermarket refrigeration systems by security researchers Noam Rotem and Ran L from Safety Detective research lab. According to their research, there is a major security vulnerability in temperature control systems manufactured by Resource Data Management, a Scotland-based remote monitoring solutions company. What the researchers found out was that, in effect, thousands of individually exposed internet-connected industrial refrigerators could be remotely instructed to defrost by anyone with an internet connection and browser. In fact, as part of their research, they asked their secretary to figure out the location information relating to specific IoT endpoints via a search engine. Without any knowledge or training, she was able to complete the task successfully.
These vulnerable temperature controlled systems are used by hospitals and supermarket chains all over the world, including Marks & Spencer, Ocado, Way-On and more. These systems are all accessible from the internet and use the unsecured HTTP protocol, as well as default usernames and 1234 as the default password — rarely to be updated by system administrators. The default password is typically found in documentation on the company’s website, according to the researchers. To make things worse, the company provided the same default username and password to almost all of its devices. Once the systems are used to defrost refrigerators, this could cause water and infrastructure damage, financial loss, the destruction of inventory, as in the case noted above, and damage to the brand reputation. In high-value industries, losses are severe.
In the documentation that comes with the services, the company does point out that the default passwords should be changed when the system is installed. However, the change isn’t mandatory to be able to use the systems. According to the researchers, many device owners don’t bother changing it. At the same time, the company can’t enforce new password setup by clients. TechCrunch found several hundred refrigerators on Shodan, the search engine and registry of IP addresses with information about connected devices, confirming the researchers’ findings. The researchers also indicated that it would be possible to modify user settings, alarms and other features on the exposed devices.
These are just a couple of examples to a much broader area of concern that includes all IoT devices and machines — and we had better get ready. According to IDC projections, approximately 80 billion IoT devices will be connected by 2025.
Main challenges with IoT security
Easy to hack
IoT devices are as easy to hack as they are easy to connect to remotely by anyone, from any location. Even after the 2016 Dyn cyberattacks, some enterprises have kept default settings, not bothering to set unique usernames and passwords.
IT and security teams typically have a hard time gaining visibility of all the IoT devices connected to the network at any given time, and if you can’t see what is on the network, you can’t really do anything to prevent breaches.
IT teams need dedicated visibility tools, such as simplified network access controls (NAC), as well as to maintain a current and detailed inventory of all network-connected endpoints. The inventory should be automatically updated once an endpoint connects, with the help of NAC technology, and manually verified on a monthly or bimonthly basis. Once there is technology keeping track of endpoints on the network, the organization will be able to effectively respond to IoT security breaches by implementing automated responses and security compliance actions.
IoT discovery and management
IT and security professionals must have technology that provides continuous discovery and management of endpoint access and authentication, thereby establishing a baseline of normal endpoint activity that helps to identify threats. Network visibility tools can provide real-time information on each endpoint that, among other items, includes endpoint location, the access layer being used and the type of information it currently has access to.
Network monitoring and access control
The best practice is to have security professionals set up policies that control access to the network for all IoT endpoints while continuously profiling their security posture. IoT endpoints should be blocked from areas that contain sensitive information or customer data. Collecting information on the endpoint and the manufacturer will also help control access based on endpoints that can be designated in advance as riskier. Access can be based on whether or not the endpoint has the latest security patches. While it is known that some IoT endpoints do not have security patches, firmware updates are issued by some manufacturers and should be installed as soon as they become available. These can help to stall or completely prevent cybercriminals from gaining access to the network.
Segmentation starts by conducting a thorough inventory that includes IoT devices currently in use; employees using IoT; device uses; connectivity methods, such as VLAN or LAN networks; and asking questions such as:
- Does the endpoint require access to more than just an internet connection to perform its functions?
- How does the endpoint transmit its data, and in what form?
Once these questions are answered it is possible to start segmenting.
A suggestion for segmentation is to specify certain categories, such as infrastructural, data-collecting, organizational and wearable endpoints. Based on the functionalities of each endpoint, it will be possible to create a network security policy that can serve their purpose and maximize their results. Segmentation can be useful in a breach by enabling rapid remediation by quarantining or blocking network access for certain endpoints.
Recently, I wrote about the notion that IoT security is going to go through a complete change thanks to some groundbreaking lawsuits and new legislation coming onto the scene. I explained that the IoT security vulnerabilities presented at Black Hat 2018 showed beyond any doubt that infiltrated medical monitoring devices or scrambled commercial aircraft communications would create dire consequences.
Fortunately, some elements in government have begun to actively seek legislation to regulate and manage IoT risks and threats by expanding device security measures. Starting next year, for example, California will ban internet-connected devices manufactured or sold in the state if they contain a weak or default password that isn’t unique to each device.
I believe that more professionals are awakening to the ever increasing number and severity of IoT security risks, and that these vulnerabilities should be handled by a combination of organizations implementing risk management best practices as described above, along with IoT manufacturers embracing basic security standards and having legislation on IoT security. Otherwise we are in for many discoveries, such as the one by Safety Detective.
There are so many vulnerabilities in IoT, and hacking IoT devices is so easy that we must proactively seek security mechanisms now rather than wait for more disasters or emergency situations to force reactive responses. The solutions mentioned here will go a long way in preventing some of the disastrous breaches we have witnessed in recent years.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.