Define: Internet of Things (IoT)
The internet of things (IoT) is the internetworking of physical devices, vehicles, buildings, and other items; embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
Do you remember Web 2.0? It promised amazing and new interactive features for your web presence and, in a sense, seemed real. But, in reality, it was largely the branding of a group of existing technologies to mean “new and improved.” I see the term “Internet of Things” very similarly; however, this time there are much larger security implications.
Over the years, we’ve been involved with a great number of projects where the lowest-hanging fruit on the network from a cyber threat perspective were devices like security cameras, DVR systems, and environmental systems that all fall under the IoT umbrella. However, in all those engagements, only two looked specifically at these devices and the security around both them and their implementation. Both engagements happened to be for energy companies that were testing their smart meter implementation.
We’ve found that there are usually two specific IoT device deficiencies that are common across most companies: patch management and password management. The vast majority of these devices run an embedded version of Linux; and, like any other operating system, there are security patches that need to be applied to the operating system and user accounts for the system to be secured. The trouble is that not all vendors issue patches to their equipment in a timely manner, if ever. Even now, the number of devices we see vulnerable to the two-year-old ShellShock vulnerability is amazing. Usually, our team doesn’t need to exploit a vulnerability as a large percentage of the devices are still configured with the default or a weak password; or, in a few cases, no password at all.
As I type this, one of our penetration testers is performing an external penetration test against a large healthcare company that also provides emergency services to the public. While testing, he found a radio controller directly connected to the Internet. It’s bad enough to place an unprotected critical device directly on the Internet, but this one also had an easily guessable password. Within a few minutes of finding this machine, he was able to log in and have administrative access on the device. A few minutes was all it took to pivot onto the internal network. He is currently attacking their Active Directory server from the Internet.
The good news is that there are things you can do to address the risks. For starters, every device on your network should follow your corporate password policy and patch management policy. (You have these policies and follow them, correct?). For devices you cannot fully bring into compliance, you’ll need to mitigate the risks in other ways, such as decommissioning, replacement, or segregation.
This blog post was strictly about access to the IoT devices. In a future installment, I’ll discuss the data usage habits of some other interesting IoT devices. In the meantime, make sure you know what’s on your network, ensure it’s included in your patch management system and follows your password policy, and understand what it communicates with.