What should businesses do to better protect themselves against security threats posed by IoT?

Lawrence Munro, director of SpiderLabs Research at
Trustwave

A recent report amongst IT decision makers revealed that security is currently the main barrier to IoT adoption by businesses. So how real are the threats and what do businesses need to do to combat them? Much attention to date has focused on security threats within the consumer landscape, as highlighted by the well-publicised Barbie doll hack, creating consternation amongst parents across the globe.

Yet less has been written about its use in the enterprise environment, to help decision makers evaluate the real risks posed by the use of connected devices and their impact on the already overworked and under-resourced security teams, says Lawrence Munro, director of SpiderLabs Research at Trustwave.

So let’s start by looking specifically at the types of risks that IoT poses in the enterprise. On the one hand we have the prospect of BYO-IoT – and as businesses are still getting to grips with BYOD, this will come as an unwelcome surprise for most security professionals!

The other scenario relates to the use of connected devices installed by the business itself, such as digital key cards in hotels, SCADA systems in manufacturing plants or MRI or X-ray machines in hospitals.

Since the market is still relatively immature, many of these devices have rudimentary security built into their systems, as more focus has been placed by the vendors on developing features rather than ensuring the devices are thoroughly tested and hardened against attack.

Many feature chipsets embedded in the system, which are often not properly patched and may be based on open source software and hence lacking in support. This is why in tests that we regularly conduct on these types of systems we often find security issues both in the software and in the hardware itself.

Since many connected devices are using relatively new standards like Zigbee and 60 Pay; which lack the sophistication of more mature standards; there have been a number of cases where critical vulnerabilities have also been detected in the protocols themselves, creating yet another potential attack vector for hackers.

Hacker’s low hanging fruit

It’s not just a question of the underlying hardware or software being prone to attack, another common discovery in testing these systems is that the vendors have used the original factory password settings, or failed to encrypt the passwords, making them an easy target for a relatively unsophisticated hacker.

Another concern is the discovery of backdoors in devices where the presence of state-sponsored code was detected. Many of the management interfaces which connect the user to the Internet are also prone to the same kinds of attacks as other web-based applications such as cross-site request forgeries.

For example, an ISP offering a surveillance system to a business could find the web site infected with malware via such an attack, allowing the hacker to take control of the system to extract video content or personal data about any of its users.

On the BYO–IoT front, many businesses have still not updated their security policies to deal with mobile devices, let alone wearables or other connected devices. We’ve witnessed a few cases of devices like WiMe, which creates a personal 4G smart hub, that have been connected to corporate networks to create a ‘dirty internet connection’, thus avoiding web filters.

It’s relatively easy to appreciate how such a situation could lead to a hacker hijacking the connection to evade corporate security defences and gain easy access to the corporate network. In instances such as these, user education is vital to stop such occurrences from undermining corporate security and stretching the already overworked security team beyond the breaking point.

Man the Barricades…

The area of IoT attacks is still relatively new and most attacks that have been documented so far have been more opportunistic than targeted in nature, with ‘would be’ hackers scanning the internet for vulnerable smart systems to download malware, often to become part of a botnet to serve up spam.

So what steps could and should businesses take to protect themselves from new threats posed by smart devices? There are some basic housekeeping steps which are fundamental to mounting an effective defence. In the case of IoT installed by the enterprise, it’s vital to air gap such systems away from the corporate network.

It’s also important for security teams to investigate vulnerabilities associated with new smart technology in advance of installation and – where possible – insist on vendors thoroughly testing and eradicating known vulnerabilities prior to purchase. The third and final piece of advice is to test the devices in situ, using either in-house or specialist third-party pentesters, as often vulnerabilities are only exposed once integration with other enterprise systems is complete.

It’s also important to remember that the tests are not restricted to the device alone, but should equally apply to the back-end services and protocols. This is particularly important given that many IoT devices rely on third-party platforms and services that represent an additional attack surface.

So what does the future hold for IoT with regards to security? As more regulations like the impending EU General Data Protection Regulation threaten to place even more burden on security teams, urging them to tighten their grasp on securing personal data, connected devices undeniably widen the security attack surface even further.

One possible reaction to such stiff penalties, like those currently under consideration in Brussels, is that businesses will take a more draconian stance and blanket ban the introduction of new technologies like IoT. This would be a retrograde step and would be turning a blind eye to the myriad of new advancements such technology can bring to the enterprise.

Other wiser CISOs will hopefully learn from the lessons of deploying mobile and cloud systems in the enterprise and ensure they do their homework in advance to proactively evaluate risks before deployment, rather than taking a ‘wait and see’ approach, which threatens to undermine both employee and consumer confidence in businesses when the inevitable breach occurs.

The author of this blog is Lawrence Munro, director of SpiderLabs Research at Trustwave, shares his views on testing and researching IoT vulnerabilities.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

AND Technology Research and University of Essex join forces to develop self-powering, battery-less IoT device powered by AI

Posted on: September 24, 2021

Purpose-led technology company, AND Technology Research, is announcing a new partnership with computer scientists from the University of Essex to explore new ways of reducing the amount of power a device needs, while at the same time using energy harvesting techniques to produce truly self-powering devices.

Read more

How can IoT optimise the bearing supply chain?

Posted on: September 24, 2021

In 2020, stock management issues were estimated to cost UK manufacturers 66 billion GBP  because of disruption caused by the pandemic. Consequently, the quest to improve efficiency, cut waste and enhance supply chain operations is one that suppliers know all too well. Here Chris Johnson, managing director at miniature bearings specialist SMB Bearings, explains how the Internet of Things

Read more