What should businesses do to better protect themselves against security threats posed by IoT?
A recent report amongst IT decision makers revealed that security is currently the main barrier to IoT adoption by businesses. So how real are the threats and what do businesses need to do to combat them? Much attention to date has focused on security threats within the consumer landscape, as highlighted by the well-publicised Barbie doll hack, creating consternation amongst parents across the globe.
Yet less has been written about its use in the enterprise environment, to help decision makers evaluate the real risks posed by the use of connected devices and their impact on the already overworked and under-resourced security teams, says Lawrence Munro, director of SpiderLabs Research at Trustwave.
So let’s start by looking specifically at the types of risks that IoT poses in the enterprise. On the one hand we have the prospect of BYO-IoT – and as businesses are still getting to grips with BYOD, this will come as an unwelcome surprise for most security professionals!
The other scenario relates to the use of connected devices installed by the business itself, such as digital key cards in hotels, SCADA systems in manufacturing plants or MRI or X-ray machines in hospitals.
Since the market is still relatively immature, many of these devices have rudimentary security built into their systems, as more focus has been placed by the vendors on developing features rather than ensuring the devices are thoroughly tested and hardened against attack.
Many feature chipsets embedded in the system, which are often not properly patched and may be based on open source software and hence lacking in support. This is why in tests that we regularly conduct on these types of systems we often find security issues both in the software and in the hardware itself.
Since many connected devices are using relatively new standards like Zigbee and 60 Pay; which lack the sophistication of more mature standards; there have been a number of cases where critical vulnerabilities have also been detected in the protocols themselves, creating yet another potential attack vector for hackers.
Hacker’s low hanging fruit
It’s not just a question of the underlying hardware or software being prone to attack, another common discovery in testing these systems is that the vendors have used the original factory password settings, or failed to encrypt the passwords, making them an easy target for a relatively unsophisticated hacker.
Another concern is the discovery of backdoors in devices where the presence of state-sponsored code was detected. Many of the management interfaces which connect the user to the Internet are also prone to the same kinds of attacks as other web-based applications such as cross-site request forgeries.
For example, an ISP offering a surveillance system to a business could find the web site infected with malware via such an attack, allowing the hacker to take control of the system to extract video content or personal data about any of its users.
On the BYO–IoT front, many businesses have still not updated their security policies to deal with mobile devices, let alone wearables or other connected devices. We’ve witnessed a few cases of devices like WiMe, which creates a personal 4G smart hub, that have been connected to corporate networks to create a ‘dirty internet connection’, thus avoiding web filters.
It’s relatively easy to appreciate how such a situation could lead to a hacker hijacking the connection to evade corporate security defences and gain easy access to the corporate network. In instances such as these, user education is vital to stop such occurrences from undermining corporate security and stretching the already overworked security team beyond the breaking point.
Man the Barricades…
The area of IoT attacks is still relatively new and most attacks that have been documented so far have been more opportunistic than targeted in nature, with ‘would be’ hackers scanning the internet for vulnerable smart systems to download malware, often to become part of a botnet to serve up spam.
So what steps could and should businesses take to protect themselves from new threats posed by smart devices? There are some basic housekeeping steps which are fundamental to mounting an effective defence. In the case of IoT installed by the enterprise, it’s vital to air gap such systems away from the corporate network.
It’s also important for security teams to investigate vulnerabilities associated with new smart technology in advance of installation and – where possible – insist on vendors thoroughly testing and eradicating known vulnerabilities prior to purchase. The third and final piece of advice is to test the devices in situ, using either in-house or specialist third-party pentesters, as often vulnerabilities are only exposed once integration with other enterprise systems is complete.
It’s also important to remember that the tests are not restricted to the device alone, but should equally apply to the back-end services and protocols. This is particularly important given that many IoT devices rely on third-party platforms and services that represent an additional attack surface.
So what does the future hold for IoT with regards to security? As more regulations like the impending EU General Data Protection Regulation threaten to place even more burden on security teams, urging them to tighten their grasp on securing personal data, connected devices undeniably widen the security attack surface even further.
One possible reaction to such stiff penalties, like those currently under consideration in Brussels, is that businesses will take a more draconian stance and blanket ban the introduction of new technologies like IoT. This would be a retrograde step and would be turning a blind eye to the myriad of new advancements such technology can bring to the enterprise.
Other wiser CISOs will hopefully learn from the lessons of deploying mobile and cloud systems in the enterprise and ensure they do their homework in advance to proactively evaluate risks before deployment, rather than taking a ‘wait and see’ approach, which threatens to undermine both employee and consumer confidence in businesses when the inevitable breach occurs.
The author of this blog is Lawrence Munro, director of SpiderLabs Research at Trustwave, shares his views on testing and researching IoT vulnerabilities.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow