IoT: With great convenience comes even greater risk
IoT devices are skyrocketing in popularity -- almost everything can connect to the internet these days. You may have some of these in your home or business and not even realize it. Smart bulbs that sync with home management apps, IP camera systems, weather displays on smart refrigerators, smart thermostat -- basically all of the devices you would not expect to have an internet connection that do. This is highlighted further by the ongoing coronavirus pandemic now that the workforce is 100 percent remote and IT teams had to quickly enable remote work, all while ensuring security.
IoT devices make our lives a little easier and more convenient, but they come at a price as they provide new attack vectors for savvy cyber attackers. Gartner forecasts that there will be over 20.4 billion connected IoT devices in 2020, giving those attackers a lot of targets to choose from. On top of that, recent research indicated that IoT device hacks have increased by 300 percent, furthering the point that unprepared home network devices are easy targets for cybercriminals.
IoT devices are often overlooked as part of the network because the connectivity and the holes they leave in the network aren’t simultaneously considered. The average user often assumes that security is built in and therefore not an issue. The problem is IoT devices aren’t built with security in mind; on the manufacturing and developer side, the focus is on being the first to market with a good product. This can leave unintentional vulnerabilities in the device for the consumer to have to mitigate against. Additionally, Installation technicians may not have the proper security training and understand the most secure way to configure a device leaving the client vulnerable. For example, camera vendors have been known to open ports leaving them open to the internet for attackers to scan and begin researching vulnerabilities.
These devices are susceptible to commonly known attacks like privileged escalation, Denial of Service, brute-forcing, firmware hijacking and more. Some malware, such as Mirai, take advantage of this and specifically target IoT devices running Linux, turning them into bots controlled by attackers to be utilized in large scale DDoS attacks -- which is exactly what happened during the 2016 Mirai botnet attack that took out internet accessibility on the East Coast of the United States.
Often IoT devices are broken into due to unpatched firmware or by using default usernames and passwords. Shodan, a search engine for IoT devices, is one method attackers use to find internet facing devices where they can try to utilize those default credentials to gain access to a network.
From a business perspective, one rogue device can compromise an entire network, and this sentiment remains true even when employees are working from home. When a device is connected to the network, whether in the office or through a VPN, that device has access to vast amounts of sensitive data. Unless the organization in question adequately segmented its network, an attacker can hijack an IP camera exposed to the internet and move laterally through the network and harvest data or infect other network connected devices with malware.
Unfortunately, there are no enforced standards of security for IoT devices and many manufactures are not checking their devices for vulnerabilities before shipping them out. IoT is still relatively new and governments are slow to enact laws or rules around any new technology because legislation usually becomes quickly outdated or is ill-informed from the outset. Take robocalls for example: in 2009, the FTC enacted rules that banned robocalls without the receiver’s consent, with some exceptions. Yet, enforcement has been extremely difficult and, as many people know from their recent call list, robocalls have not decreased in frequency.
In the meantime, with stay-home-orders in place, there are some things companies can do to help protect their network from IoT attacks and better prepare themselves for when employees return to the office:
- Change the default username/password. Often manufactures ship devices with very basic credentials that can be easily found online. Change these to a complex set that isn’t reused elsewhere.
- Change the name of the device. If the device provides the option to change the name, switch it to something other than what was provided by the manufacture. Some names provided by the manufacture can tip off attackers to what it is, allowing them to research what vulnerabilities are available for the device once enumerated.
- Gain broad visibility of security events by ingesting events from any device/any application on your network. When an incident happens, you have to respond and mitigate quickly to prevent or minimize damage. Having this visibility better prepare you to mitigate anything that takes aim at your network.
- Segregate the devices on your network. If possible, IoT Devices like camera systems should be DMZ’d away from your internal network in case they are breached minimizing where attackers can get on your network.
- Research your IoT devices before buying. Before buying any new IoT devices, perform some research on them and see if there are known vulnerabilities and if there are mitigations for those. If there are not, there may be a different vendor who offers a more secure product.
- Apply vendor patches. This is good practice not only with IoT devices, but in general. Unfortunately, some vendors do not release additional patches. Another reason why you should research before buying.
Josh Smith is a cybersecurity analyst at Nuspire, a managed network security service provider, where he specializes in information systems security. As part of the Security Intelligence and Analytics team, Josh is an expert at identifying cybersecurity trends, analyzing threat actors, and curating operational threat intelligence.