In Into the Mind of an IoT Hacker at RSA Conference 2021, security specialists Itzik Feiglevitch and Justin Sowder brought up the issue of vulnerability of various IoT devices and the special treatment they require from corporate cybersecurity. They offered a few stunning examples showcasing the state of IoT security in today’s businesses.
Few cybersecurity specialists keep track of their corporate IoT hardware. More often than not, smart elevators, all sorts of sensors, IPTV, printers, surveillance cameras, and the like are just a motley collection of disparate devices, each with its own OS and proprietary protocols, and many lacking any sort of proper control interface … you get the picture. Your company may have thousands of them.
Why IoT devices introduce extra cybersecurity risks
IoT devices are not always regarded as belonging to the relevant infrastructure; although a network printer normally counts as a network device, the same isn’t true of “smart building” components or even IP telephony systems. To be clear, such devices tend to be connected to the same network as corporate workstations are.
Staff coming and going may complicate the situation even further. The greater the turnover in cybersecurity and IT, the better the chance a new person won’t know a thing about the IoT zoo connected to the network.
Perhaps worst of all, some of those devices are accessible from the outside. The reasons may be legitimate — vendor control over some aspect of a device; telework availability; maintenance — but having devices on the corporate network on the one hand, while being permanently hooked to the Internet on the other, is risky.
It may sound paradoxical, but the very robustness of modern electronics is another risk factor: Some IoT devices have very long life spans and are running in vastly more complex security environments than they were designed for.
For example, some devices run obsolete, vulnerable operating systems that are no longer updated — and even if they can be, updating may require physical access (which can range from difficult to nearly impossible). Some feature unchangeable passwords, debugging backdoors erroneously left in the final firmware release, and many other surprises to spice up the life of an IT security pro.
Why attackers take an interest in IoT devices
Cybercriminals find IoT devices interesting for several reasons, both for host company attacks and for attacks on other companies. The main uses for compromised smart devices are:
- Setting up a botnet for DDoS attacks;
- Mining cryptocurrency;
- Stealing confidential information;
- As a springboard for further attacks and lateral movement in the network.
Researchers have described some cases that are fairly ridiculous. These relate to both standard devices connected to the Internet and quite narrowly specialized ones. Two prominent examples highlight ultrasound machines and devices using Zigbee protocols.
Modern organizations working in the healthcare sector make use of numerous IoT medical devices. To test the security of such devices, researchers bought and tried to hack a used ultrasound machine. They needed only about five minutes to compromise it; the device was running on a version of Windows 2000 that had never been updated. Moreover, they were able not only to obtain control of the device, but also to gain access to the patient data the previous owner hadn’t deleted.
Physicians often use medical devices for years, or even decades, without updating or upgrading them. That’s understandable — if it ain’t broke, etc. — but these devices don’t merely operate for a long time in the first organization that acquires them; they are often resold and continue to operate.
Companies use Zigbee networking protocols, which were developed in 2003 for energy-efficient wireless communication between devices, to build mesh networks, and often to connect various components within a smart building. The result: a gateway somewhere in the office that controls dozens of different devices, such as, for example, a smart lighting system.
Some researchers say a cybercriminal could easily emulate a Zigbee device on a regular laptop, connect to a gateway, and install malware there. The cybercriminal would just have to be within the coverage area of the Zigbee network — for example, in the office lobby. Once they controlled the gateway, however, they could sabotage work in any number of ways — for example, by turning off all of the smart lights in the building.
How to secure a corporate network
Security officers are not always sure whether they should protect IoT devices on the corporate network or protect the corporate network from IoT devices. Actually, both problems need to be solved. The important thing here is to ensure that every item and action on the network is visible. Establish corporate security requires first identifying all devices connected to the network, correctly classifying them, and, ideally, analyzing associated risks.
The next step is, of course, network segmentation based on the results of the analysis. If a device is necessary and irreplaceable but has vulnerabilities that updates cannot fix, then you’ll need to configure the network to deny vulnerable devices Internet access and also to remove their access from other network segments. Ideally, use a Zero Trust concept for segmentation.
Monitoring network traffic for anomalies in relevant segments is also critical to your ability to trace compromised IoT devices being used for DDoS attacks or mining.
Finally, for the early detection of advanced attacks that employ IoT devices as anchors in the network and attack other systems, use an EDR-class solution.