As the Internet of Things continues to grow, how can businesses protect themselves against IoT vulnerabilities? Recent hacks prove the need to prepare, and businesses need to plan ahead for IoT-related attacks that might come out of nowhere.
Recently I got myself a new toy called a HackRF One, which is basically an open source software-defined radio platform capable of both transmitting and receiving. It supports a very large frequency spectrum (10MHz to 6 GHz with up to 20 MHz of bandwidth), which happens to include the frequency ranges used by devices like GPS and cell phone GSM.
People have long since figured out how to use more limited versions of these devices to do stuff like hack fixed-code wirelessly controlled garage doors. But as the so-called Internet of Things (IoT) mushrooms and more and more and more devices are IP-connected, the possibilities for finding and exploiting IoT vulnerabilities to access information or otherwise cause harm mushrooms right along with it.
Don’t Let “Hello Barbie” Past Your Reception Desk
A well-researched case in point is Mattel’s wi-fi enabled “Hello Barbie” doll, which can readily be turned into a surveillance device while also offering up its system information, account data and stored audio files. Researchers could also control the doll’s microphone and get her to say whatever they wanted.
If hackers can use an IoT doll device to take over your home wi-fi network in order to access personal financial data and hold your smart refrigerator for ransom, they can do the same thing at your workplace. Likewise, more and more web-connected “things” have mobile apps associated with them, which makes smart mobile devices like phones and watches prime entry points from which to target sensitive personal and business data.
We have yet to conceptualize all the IoT vulnerabilities that are waiting to happen—all we know for sure is that we’re in for some unpleasant surprises. For example, the worsening scope of remote car hacks has made hi-tech automotive cybersecurity as big an issue as traditional driver safety. But that’s just the tip of the IP-enabled iceberg.
Planning Ahead to Combat IoT Vulnerabilities
What can you do to protect your business from attack vectors your IT staff has never even heard of? This informative post on the GlobalSign Blog outlines well-established types of cyber attack that IoT vulnerabilities likewise facilitate:
- Botnets, as clearly demonstrated by the recent IoT botnet-driven DDOS attack on Dyn.
- Man-in-the-middle hacks, like redirecting the data stream from a web-connected light bulb.
- Data/identity theft (often in combination with social engineering), such as combining what you post on Facebook with what can be swiped off your Fitbit account (name, address, birth date, health information, credit card information…) to cozy up to your personal identity and target an attack.
With the above in mind, a key first step to limit the scope of unforeseen IoT security damage is to proactively ensure that your corporate BYOD policies work to keep sensitive data off of personal devices. You also need to comprehensively protect data on company devices with things like encryption and strong passwords.
Another “no-brainer” is to stay current with firmware upgrades and patches on all your IoT devices, like connected printers, VoIP phones, energy meters, smart video conferencing systems and security cameras. In many cases, manufacturers are scrambling to patch gaping security holes in these systems, and existing vulnerabilities are well-known to hackers.
Likewise, you need to ensure that login credentials for IoT devices and systems are robust and kept secure. Picture cyber thugs turning off the cameras and opening the doors to your facility, all because a third-party installer didn’t bother to change the default login credentials on your new, web-connected security system (and you didn’t bother, either…).
When an IoT attack comes out of nowhere, you don’t want to be the low-hanging fruit that’s easiest to exploit. You want to have the basics covered so as to limit the damage and support your response.
I’m looking forward to roaming this brave new IoT world with my white hat and my little SDR device with its open source software. But, at the same time, I’m very concerned about the potential for destructive impacts far beyond anything we’ve seen yet. Make Hello Barbie wait in the lobby, just to be on the safe side…
To talk over your current security posture with respect to connected devices and your specific organizational risks from IoT devices, contact Pivot Point Security.
The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.