Last Updated on March 16, 2023
News flash for those who have been asleep for the last few years—there are a lot of security issues in IoT.
When an issue rises to the level where it is a key component of a Presidential Executive Order, it’s pretty mainstream. Yet, remarkably, I think many people are not yet as cognizant of IoT security issues as they should be.
IMHO, one reason is that even most InfoSec pros I speak with struggle to define exactly what an IoT device is. I like this definition: “IoT devices are hardware devices, such as sensors, gadgets, appliances and other machines that collect and exchange data over the Internet. The IoT connects devices to the Internet and to other connected devices. The IoT is a giant network of connected things and people, all of which collect and share data about the way they are used and about the environment around them.”
Oversimplifying, almost any device that you hear referred to as “smart” is likely an IoT device. The “smart” prefix tells you that what was once a “dumb” object (e.g., that Bluetooth speaker or lightbulb) is now capable of sending and receiving information that can be used to make decisions/take actions.
Like many technological advances, early iterations of “smart” devices created notable security issues for IoT. The most prominent example is the Mirai botnet, which launched massive denial of service attacks in 2016. The Mirai botnet hunted for devices using the default factory logins for tens of thousands of “(not so) smart” video cameras around the world for malicious gains.
But “smart” is here to stay—and it now includes bodies, cities, buildings, cars, homes, transportation, factories and almost any other field of use you can imagine. So the question isn’t, ‘How do I avoid security issues in IoT?’ The question is, how can you take advantage of IoT in a way that minimizes the risk of doing so.
Fortunately, this is getting easier. Over the last few years, ENISA, NIST, CIS, and OWASP have developed fantastic guidance for both users and manufacturers of IoT devices. Further, regulations like California SB-327 are requiring that IoT device manufacturers implement “reasonable” security features. Looking forward, the new Presidential Executive Order suggests that the FTC develop a consumer labeling process for IoT devices, which would help notably.
That all being said, it’s critical that we understand the risk, and that we have a repeatable, consistent process to manage these risks relating to existing devices that are already deployed and new devices that we plan on deploying.
Managing Risk with Existing IoT Devices
Identifying IoT devices in your home or work environment can be tricky (starting with something as basic as “what is and isn’t an IoT device?”). Picture a nontraditional computing device that communicates or is communicated to from the Internet. In your home, it’s likely relatively easy to identify them based on what they do/how you use them (e.g., Nest thermostat, Tivo, Alexa, smart TV, Ring Doorbell, security cameras. etc.) Once you have a list, key steps include:
- Ensure that the default credentials (username & password) for your internet-facing router/firewall have been changed.
- Ensure that the router/firewall is updated, and you are following recommended best practices published by your ISP (e.g., strong unique password, WPA-2 PSK encryption, etc.)
- Change the default credentials (username & password) for all IoT devices. If you can’t change the default credentials, ditch the device.
- Use a strong and unique password for each device.
- Where possible, update the devices and schedule periodic updates to ensure the devices remain current. If a device is no longer being updated, ditch it.
- Where possible, enable MFA for account management (e.g., Nest, Google Home).
- Where possible, enable separate networks; e.g., a guest/IoT network and a trusted network for your computers/laptops, and perhaps a separate network for business computers if you work from home.
Identifying IoT Devices in Your Business
The biggest challenge with identifying IoT devices in a work environment versus at home is their greater diversity of use cases and the sheer number of different devices potentially involved. The larger the organization, the more challenging the task. There are some device discovery tools (e.g., Securolytics, ManageEngine) that listen on your network and can automatically identify devices for you. Vulnerability scanning tools like Nessus will also pick up many of these devices. Last, many devices that have the ability to report on outbound connections (e.g., a firewall or SIEM) can be directly used and/or provide some automated analysis to identify devices talking outbound from your network. It’s not uncommon to need to use several of these techniques to identify all IoT devices.
If you are wondering if this is all worth it, check out this story on how hackers broke into a casino through an IoT fish tank thermometer.
Once all your IoT devices have been identified, key action items largely mirror the list above.
Managing Risk with New IoT Devices
Fortunately, it’s a bit easier if you can address IoT risks before the horse is out of the barn:
- Make sure that the device vendor has a strong security story. Ideally, they can provide a report from an independent security firm that demonstrates that their device meets good IoT security practices. Ideally, the testing was done against one or more standards like the OWASP IoT ASVS, CIS IoT, ENISA, IoXt, etc.).
- Deploy the device in a manner (e.g., segregated) commensurate with risk and function.
- Ensure that you/the vendor have a process for regularly updating the devices firmware in a secure/validated manner.
- Monitor IoT devices to identify any anomalous behavior.
- Update Incident Response plans to reflect IoT devices.
Perhaps a better title for this blog would have been “The Lord giveth, and the hackers taketh away”… Maybe next blog. :>)
With expert guidance and security assessments built specifically to test your ecosystem of connected devices, we can help you to identify and address the security gaps in your IoT environment.