“Internet of Things” (aka IoT) is a new buzzword for something that’s been around for a long time: any network device that’s not a desktop computer or a server. There are more and more of these kinds of devices, many of which people don’t associate with IoT—like web cameras, DVR’s, security systems, environmental control systems, even light fixtures. Any “smart” product that’s accessible via your network falls into this category.
Though often overlooked, these “things” are basically “little computers” attached to your network. Hackers can not only get in and reconfigure IoT security cameras, systems and environmental controls, but can also use them as gateways to mount massive distributed denial of service (DDoS) attacks and other damaging attacks.
Will Your New IoT Security Camera Keep You Safe or Take You Down?
I recently had an in-depth conversation with a client regarding his latest vulnerability assessment that highlighted this fact; a significant portion of the high-risk items discovered were IoT devices. The majority were web-enabled IoT security cameras that basically amounted to special-purpose, unpatched, exploitable Linux servers on their network. These vulnerable devices were distributed across the entire enterprise, exposing the entire network to attack.
Another common example is the consumer/prosumer grade routers that SMBs and even midsized companies often use. A large percentage of these computing devices (some say almost 80% of home networks) are configured with factory-default passwords, and/or have their Telnet port exposed to the Internet.
IP-connected environmental control systems are yet another growing threat, which gained notoriety after Target was hacked via an HVAC service provider. Often these systems are installed by HVAC contractors with little thought given to security, and then just left to run. These systems need to be configured, managed and updated like any other network device, because they represent a significant vulnerability.
If you’re interested, you can receive alerts and advisories regarding industrial IoT devices (e.g., sensors on manufacturing equipment) from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the US Department of Homeland Security. These frequent notifications cover SCADA systems and include security bulletins, cyber attack updates and more. It’s good to know somebody’s paying attention to these vulnerabilities—we can only hope IoT vendors are among those who are tuned in.
Likewise, when IoT vendors release patches and firmware updates it’s up to their customers to install them. Judging from the scans Pivot Point Security conducts, this frequently doesn’t happen.
More often than not, when an IoT device is compromised it’s because it was either running outdated firmware and/or wasn’t securely configured. Attackers don’t have to look far to find this low-hanging fruit on corporate networks.
The takeaway from this blog is simple: organizations need to manage all their IP-enabled devices under their vulnerability management program, and in alignment with their password policy. Whether it’s a computer, a thermostat, or an IoT security camera, if it’s network-accessible it needs to be monitored and updated in accordance with policy. If a configuration wouldn’t be acceptable for a desktop computer (e.g., a weak password or lapsed patches), it should be unacceptable for any other network-accessible device.
IoT devices that you’ve overlooked or forgotten about can also be identified and tested as part of a network vulnerability assessment. It’s possible to design mitigating controls, such as a separate firewall and appropriate access controls, if updates to IoT devices aren’t feasible for reasons of expense or convenience.
If you’d benefit from some help to identify, lock down and manage the IoT devices on your network, contact Pivot Point Security.