Insecurity of Things: Why Connected Devices Compromise Security

June 17, 2019

There will be 24 billion connected “things” by 2020, according to Business Insider. That will be more than four devices for every person on the planet.

While we’re probably quite a few years away from your refrigerator taking you hostage and using you as a battery Matrix-style (I hope), there are still a few concerns when it comes to the Internet of Things (IoT).

Let’s Talk Breaches

The Mirai botnet.
In 2016, a distributed denial of service attack (DDoS) caused an internet outage that affected much of the east coast. This was the work of the Mirai botnet. Normally a botnet takes advantage of the vulnerabilities in home PCs to compromise the system. Once a computer is compromised, it can then be controlled by the "bot herder." In the case of the Mirai botnet, however, IoT devices were compromised by scanning the internet for open Telnet ports and attempting logins using 61 default usernames/passwords for IoT devices. (Oh, and let’s not forget that the Mirai botnet code was released into the wild, so anyone can use it to infect insecure IoT devices. Time to change those passwords!)

It swims with the fishes.
Hackers found more than Nemo when they gained access to a casino’s network through the smart thermostat in a fish tank in the lobby. They walked (swam?) away with the casino’s high-roller database.

[Cybersecurity] is where the heart is.
In 2017 the FDA confirmed that St. Jude Medical’s implantable cardiac devices could be hacked. Then in 2018, the FDA issued a safety alert to notify consumers about vulnerabilities in Medtronic’s CareLink programmers that could allow a hacker to change the functionality of the programmer or implanted pacemakers.

VPNFilter router attack.
Malware infected more than half a million devices, most of which were consumer-grade routers. It monitored transmitted data, stole passwords, and even disabled devices – some of which were left totally inoperable.

GitHub got got.
Last year GitHub was hit with the most powerful DDoS attack recorded to date. According to Wired, the site was hit with 1.35 terabits of data per second of traffic. The attack stemmed from Memcached servers, which aren’t meant to be exposed to the public internet… but guess what? Around 100,000 of these servers, mainly owned by businesses, are online and have no authentication protection. This allows hackers to access them and utilize them for a DDoS attack, as was done to GitHub.

All aboard.
In mythology, sirens would lead ships astray. In today’s world of technology, those “sirens” are hackers. The navigation systems of about 50,000 ships are vulnerable to cyber attacks that could “fool” their GPS and send them off course – or even disable the navigation system entirely, leaving crews vulnerable to the elements.

The Challenges of IoT

As you can see, the IoT impacts a wide range of industries and device types – and some flaws in the security of certain IoT devices can literally have life or death consequences. So, why aren’t IT and security teams doing more to protect their environments? To put it simply, they’re between a rock and a hard place.

Here are a few reasons why:

IoT is the Wild, Wild West.
(And not the kind Will Smith was rapping about in the ‘90s.) Currently, the IoT industry lacks standardized regulations. Manufacturers are not required to bake security into the development of their devices when they build out code, hardware, or software. There are also no monitoring mechanisms to maintain security and devices aren’t built with proper functions to enable security and firmware updates. The closest the U.S. will see in terms of regulations is the California Senate Bill 327 (SB-327) which, beginning on January 1, 2020, “would require a manufacturer of a connected device… to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit…” The bill also calls for IoT devices and the information they hold to be protected against “unauthorized access, destruction, use, modification, or disclosure.”

IoT devices are at the bottom of the security food chain.
Organizations have limited budgets, time, and resources. While IoT devices might create a significant gap in security, IT and information security teams are often pressured by leadership to focus on managing other risks. This is how IoT devices become a “whenever you can get around to it” type problem – and, unfortunately, some teams only find themselves able to “get around to it” when there’s been an incident.

Current guidelines are too complex.
To combat the lack of standardized regulations, NIST and the International Society of Automation (ISA) have issued IoT cybersecurity standards. These are a good place to start, however, these guidelines are incredibly complex, hard to understand, and difficult to install within organizations because they don’t offer clear instructions or recommendations for implementation. This means that manufacturers are doing too much guesswork in designing security and privacy policies for their devices, and many just forego the standards altogether because they believe they are too complex. End users wind up picking up the slack after the device is on their network.

So, What Can You Do?

As you can see, anyone trying to secure internet-connected devices has their work cut out for them. But it’s not all bad news. There are plenty of things you can do today to improve your current IoT security posture and prepare for the next wave of technology, and I’m including some of them below.

Become ISO 27001 certified.
For device builders, ISO 27001 certification introduces the security mindset and ensures that security is built into IoT devices from day one. For businesses that want to use IoT devices, ISO 27001 certification can help with vendor management. (Shameless plug: at GreyCastle Security we regularly guide clients through ISO 27001 certification and deliver efficient, effective, and sustainable Information Security Management Systems (ISMS) that are customized to the organization. Our subject matter experts also provide direction on how to continuously improve your ISMS.) By becoming ISO 27001 certified, you will be in a better position to prove to clients and other stakeholders that you securely manage your (and their) data.

Know what’s attached to your network now.
Do you know all the devices that are currently connected to your network? If not, it’s time to perform an assessment that observes your network traffic and inventory the connected devices. You’ll also need to identify any high-risk vulnerabilities and exploits.

Segment your network.
Set up security zones within your network. By dividing your network and restricting access to these “zones” to only authorized devices or users, you can restrict an attacker’s ability to move around your network. The segmentation strategy you use should be dynamic and give you the ability to monitor the trust level and access controls of all users, apps, and devices.

Change default usernames and passwords.
This one should be a no-brainer.

Keep devices on an “information diet.”
Devices should not have access to data and information they don’t need. A smart toaster doesn’t need your date of birth or your credit card number (unless it’s planning on using your Alexa to order you a birthday present, in which case that’s quite a toaster!). Only allow devices to have information that is vital to their operation.

Get the team together.
Before implementing an IoT device, have a meeting with all relevant parties to discuss the device and how it will be used within the organization. IT and security teams need to work together to ensure the proper levels of encryption and the vendor needs to provide a satisfactory explanation of how they protect data.

Map your attack surface.
Today’s threat landscape is vast. The traditional idea of a network border has changed with the adoption of cloud technology, mobile devices, and IoT – and this introduces new risks to organizations. Take a closer look at your endpoint security strategy. What needs to be protected? Understanding your attack surface and proactively identifying threats and vulnerabilities before they are exploited will be crucial to keeping an IoT environment secure.

In Conclusion...

IoT security is complex, but it is manageable. While many IoT devices are “plug and play,” the security strategies associated with them can’t be. Your organization needs a security strategy that is customized to your device environment and the threats against it. When you fully understand your network in this way, you can strengthen it.

Want to continue the conversation? Leave a comment below or feel free to reach out to me directly. You can also email me at [email redacted]. I look forward to hearing your thoughts!