Matt Dunn, the associate managing director for cyber-risk at Kroll, discusses how to keep networks safe from insecure IoT devices.
As the pandemic continues to fuel the shift to remote work, numerous manufacturers have capitalized on this movement to create a multitude of handy internet of things (IoT) devices. While these devices may make our home and work lives more convenient, they greatly expand the attack surface for cybercriminals. Here, we’ll take a look at the best cybersecurity practices that can thwart attacks.
IoT devices introduce a host of vulnerabilities into organizations’ networks and are often difficult to patch. With more than 30 billion active IoT device connections estimated by 2025, it is imperative information-security professionals find an efficient framework to better monitor and protect IoT devices from being leveraged for distributed denial or service (DDoS), ransomware or even data exfiltration.
When the convenience of a doorbell camera, robot vacuum cleaner or cellphone-activated thermostat could potentially wreak financial havoc or threaten physical harm, the security of these devices cannot be taken lightly. We must refocus our cyber-hygiene mindset to view these devices as potential threats to our sensitive data. There are too many examples of threat actors gaining access to a supposedly insignificant IoT device, like the HVAC control system for a global retail chain, only to pivot to other unsecured devices on the same network before reaching valuable sensitive information.
While phishing remains the most popular attack vector, reinforcing the need for humans to be an integral part of strong security program, IoT devices now offer another avenue for cybercriminals to access accounts and networks to steal data, conduct reconnaissance and further deploy malware. Recent cases have shown examples of this:
In 2019, cybercriminals were able to gain access to a casino’s database of “high roller” clients when they compromised a smart thermometer in a fish tank in the casino’s lobby and then pivoted into the casino’s network;
Vulnerabilities in a home alarm system led to cybercriminals conducting a DDoS attack by using these devices in a botnet as a mechanism to spread malware;
And, a corporate executive’s external Bluetooth-connected speaker allowed hackers to listen in on his sensitive conversations while he worked from home.
When we think about the uses of IoT devices today, the repercussions from their compromise could present significant damage. For instance, a successful compromise of an internet-connected thermostat could compromise the integrity of sensitive, climate-controlled facilities housing pharmaceuticals (including vaccines), food and other perishable items.
Key Security Controls for IoT Devices
The manufacturing cycle for the design of IoT devices rarely incorporates the implementation of security during the development process. This oversight has resulted in an increase of successful compromises, and not necessarily from sophisticated attacks. Some of the primary methods of IoT compromise and security measures to remediate these vulnerabilities include:
1. Default Passwords
As with most new devices that connect to a network, many IoT machines provide default passwords. Unfortunately, with the volume of stolen IP addresses available on dark web markets, if a user is still using the default password (also available on the dark web) or a simple password, which is susceptible to brute force attack, this may be an easy way for threat actors to gain further access to a network and, potentially, the sensitive data maintained on that network.
2. Unpatched Security Features
Unpatched hardware and software has been a prime target of cyber-threat actors for years. Recently, we’ve seen how unpatched operating systems led to the global WannaCry ransomware attack on Windows machines; unpatched software platform vulnerabilities being exploited, such as those experienced by users of Citrix; and, even in 2020, unpatched Eternal Blue exploits were used by threat actors to deploy large-scale ransomware attacks on compromised networks.
Similar attacks on unpatched vulnerabilities have allowed cybercriminals to conduct lateral movement once a foothold is gained in a network. These have proven extremely disastrous for the volumes of victims of banking trojan and ransomware attacks. A patch-management policy must be created to automate patching when made available by hardware and software manufacturers, as well as provide guidance for immediate patching necessary on critical systems.
3. Flat Networks
The success of IoT attacks is usually achieved when a compromised IoT device is connected to a network that contains sensitive or critical data. IoT devices should be segmented from other systems on the network to limit a threat actor’s ability to move laterally to where they can cause the most damage, both financially and to infrastructure.
4. Network Inventory
IT teams should conduct periodic inventories of their networks to identify which devices are connected and verify if they have been approved. This will also allow teams the ability to patch those devices now that they know they’re active on the network. We have seen too many situations of threat actors having access to a network for months (and longer) when there has been uncertainty regarding unauthorized devices or accounts accessing a network. This unaddressed situation allows threat actors unfettered access to quietly conduct reconnaissance and identify not only critical data which has monetary value, but also to learn configurations and security features, and to deploy additional malware.
Many IoT devices use Bluetooth as the method to connect to a network. However, Bluetooth has security vulnerabilities which could leave these devices open to attack. This is especially concerning when thinking about the potential impact on Bluetooth-enabled medical devices and implants, where a compromise could lead to the theft of PII/PHI or threaten the health of the patient if the device was disabled. It is highly suggested that users set up the non-discoverable mode when using Bluetooth-paired IoT devices. As hackers continue to identify vulnerabilities to Bluetooth, it is important to patch the firmware for Bluetooth-enabled devices as those security measures are issued by manufacturers.
As we move into the middle of 2021, there is a general understanding (and consumer demand) that more IoT devices will be available to carry out a plethora of services. These devices stretch across many industries and range from home and consumer use to commercial applications. While they offer many valued features and conveniences, they also pose a potential risk of the compromise of sensitive data or unauthorized access to personal, corporate and government networks. Identifying and protecting your IoT device network today can save your time, data and capital in the future. But beware – doing so is not a one-time event and as technologies change, and so should your controls.