As we’ve noted in a previous post, IoT devices greatly increase the security challenges of defending corporate networks. However, this well-known fact does not seem to have slowed down the adoption of IoT in the enterprise. A recent PwC survey reported that 71% of manufacturers plan to deploy IoT devices despite the associated cyber risks.
So it seems like the IoT train has left the station and is rushing full steam ahead towards the horizon. In order to continue to travel safely, enterprises must understand the risks of deploying IoT devices and how to mitigate them. This assessment process should consider the devices that create the risk, an analysis of the type of attacks that they can be used for and the potential implications and regulatory risks.
Let’s start by identifying the devices that pose the greatest risks to enterprise networks.
The shy, corner printer could be your greatest adversary. NCC Group researchers identified vulnerabilities and exploitations related to six of the largest enterprise printer makers in the world: Xerox, HP, Lexmark, Kyocera, Brother, and Ricoh. These vulnerabilities include susceptibility to Denial of Service (DoS) attacks and a potential for those devices to be used as entry points into corporate networks, with remote code execution and the bypassing of security layers.
A compromised IoT Printer could allow threat actors to spy on your print jobs, send electronic copies of documents to themselves or establish a backdoor into the corporate network.
Hackers have known about these vulnerabilities for quite some time, and have abused these in several APT campaigns. Russian government-linked hackers used printers with weak security to access several global enterprise networks, then tried infiltrating more privileged accounts, according to a Microsoft report.
IP cameras are used in many enterprises as security and safety devices. It’s unsettling to think that these same devices could be used to bypass security mechanisms and put your company at risk. But this is exactly what has happened (and will likely happen again). Back in September 2016, numerous security cameras were breached and “recruited” to a botnet, the likes of which have never been seen before. The infamous Mirai botnet launched what was, back then, the world’s largest DDoS attack, and most of the owners of these devices were not even aware of it. Mirai used a simple script that identified security cameras with built-in default credentials and used these to gain control of the devices.
Ever since, manufacturers worldwide have done a lot to improve the basic security of these devices, but very recently a number of wireless cameras and baby monitors tested by consumer group Which? were found to contain multiple security flaws that could allow hackers to spy on employees and abuse these devices in other ways.
Personal Assistants like Alexa and Echo are becoming increasingly popular at home, and these devices are also finding their way into enterprises. Unfortunately, Personal Assistants have also been found to be vulnerable to cyber attackers.
For instance, security researchers exploited a flaw in Amazon Echo at a hacking contest. Previous generations of Amazon Echo are susceptible to an old WiFi vulnerability called KRACK , which allows an attacker to perform a man in the middle attack against a WPA2 protected network.
Key Reinstallation Attack (KRACK) exploits flaws in the WPA2 Wifi protocol (CVE-2017-13077, CVE-2-17-13078) and allows threat actors to decrypt packets and steal sensitive data sent over plain text. KRACK affects millions of 1st gen Amazon Echo devices and 8th Gen Amazon Kindles.
While the risk of mobile phones and “BYOD” to the enterprise has been acknowledged (but mostly overlooked by many enterprises), their next of kin, wearables, may also pose a considerable risk. Even though wearables don’t store data like emails and files, they can connect to corporate networks and endpoints using Wifi or Bluetooth connections and expose these to the outer world.
Threats come in all shapes and sizes, and that includes those novelty items that might make your office seem “cooler” or more efficient but may contain a hidden security risk. A startling example of this is the case of the smart fish tank that was exploited to achieve data exfiltration from a Casino in Las Vegas. The tank’s Internet connectivity allowed it to be remotely monitored, automatically adjusted for temperature and salinity, and to dispense automated feedings. That doesn’t sound too risky and probably seemed like a good way to automate some tiresome chores. However, there were unexpected consequences: the ‘Smart’ fish tank also enabled hackers to swipe 10 gigabytes of data from the casino and to send that data to a remote server in Finland.
After covering the types of IoT devices that are susceptible to hacking, lets see what could be the implications of such hacks:
The biggest risk from an enterprise point of view is that connected devices could be used to gain access to corporate networks. Moreover, as these devices are usually running a minimal Linux install with little RAM or disk space, they cannot be secured by traditional means since its impossible to install AV or endpoint security solutions on them.
In addition, many existing network management and security tools are “blind” to these devices, meaning that a compromised device could operate in the network for prolonged periods of time and be used to syphon data from the organization to an external party. For almost a year, an attacker was able to remain undetected on NASA’s Jet Propulsion Lab’s internal network by means of a Raspberry PI. A lack of visibility across JPL’s network meant the device’s activity, initially connected legitimately by an employee but later compromised by a hacker, went unnoticed by security teams. If it can happen to NASA, it could happen to any other enterprise that doesn’t ensure full visibility across the network.
A recent Forrester report suggests that enterprise IoT devices might fall victim to ransomware attacks. Rather than demanding bitcoin to unencrypt files, organizations could be forced to pay the attackers in order to resume control of their devices. This might not seem like a plausible attack scenario until you think about a smart elevator or HVAC (air conditioner) system being held to ransom, and suddenly this might not sound crazy after all.
Recruiting your connected devices to a botnet could impact their performance and usability, the network performance and even expose your organization to legal liabilities such as if negligence led to these devices participating in a denial of service attack.
In a similar manner, a device that mines crypto currencies will use more resources (power, bandwidth), which in turn can have an adverse effect on the performance of both the individual device and the network at large.
Of course, connected devices pose more than a security risk; they also pose a privacy risk. Recent research found that 65% of those surveyed were concerned with how connected devices collect data, while 55% did not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be “creepy.” Given that there have been numerous cases of such devices recording their owners without their knowledge or consent, this is hardly surprising.
IoT devices can leak stored data such as device status, device identifier and personally identifiable information provided by the user, sensor data like audio recordings or video surveillance, and interaction data such as when, where and how the device was activated.
These leaks do not necessarily have to be a result of malicious hacking activity to present a risk. Device manufacturers may be able to access and retrieve such data, which may or may not be shared by the manufacturer with partners or third parties without the device owner being aware.
Even locations that ought to be recorded (like border passes) can be a cause for concern, as was demonstrated when US Customs and Border Patrol agency (CBP) was hacked and images of 100,000 people, along with their vehicle license plate numbers, were stolen.
As the risks are becoming more tangible, regulators and law-makers are being called upon to establish laws and regulations to mitigate the risk.
A recent hearing on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security highlighted the risks stemming from connected devices and the need for devices with built in security.
States are also taking notice: California’s IoT Security Law requires that a reasonable security feature must be “appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Other regulations like California CCPA and the EU GDPR are concerned with the privacy and integrity of user’s data (which includes employees and customers) that can also be impacted by IoT devices. Above all, the question lingers whether an organization is liable for a device residing on its network that is subsequently recruited to a botnet and then participates in a DDoS attack on another organization.
Procuring IoT devices should always be done with great care. Ensure that the manufacturer does not use hardcoded admin passwords, and that the device does not ‘phone home’ any data that could represent a breach of your security or privacy regulations. Assess the manufacturer’s track record of supplying firmware updates, and choose one that takes security seriously and responsibly.
On acquisition of any IoT device, make certain to change any default passwords so that your device is not susceptible to simple brute force dictionary attacks such as those used by Mirai and similar copycat IoT botnets.
It is also essential that you find out from the manufacturer or supplier what their notification policy is regarding firmware updates and that you have processes in place to patch as soon as possible when an update notification is received.
Where possible, consider the options for physical hardening of the device to prevent tampering and unauthorized access. Is the device located externally to the premises (for example, security cameras in parking lots or other publicly accessible areas)? If so, consider how and under what circumstances you would be able to detect if it had been tampered with.
Securing your IoT devices also encompasses your process for decomissioning used and obsolete equipment. IoT devices can contain sensitive data about your network or business, so they need to be disposed of carefully. In one experiment, researchers reverse engineered a simple ‘smart’ light bulb after use, and were able to retrieve the WPA2 key for the network it had been connected to as well as the root certificate and RSA private key hardcoded by the device manufacturer.
Check to see whether the manufacturer provides a means to reset the device to factory defaults or otherwise wipe any stored data and be sure to dispose of your unwanted IoT devices securely.
Given such considerations, purchasing dedicated IoT security solutions might be suitable for some organizations, especially ones with specialized devices such as medical equipment. For others, seek solutions such as SentinelOne Ranger that leverages existing infrastructure and architecture to provide visibility into IoT devices on your network. Ranger allows enterprises to monitor and manage IoT devices before they become a security hazard.
There’s no doubt that IoT ‘smart’ devices are here to stay in enterprise environments and along with that comes a number of security risks as we’ve outlined above. The recent International Botnet and IoT Security Guide by the CSDE (Council to Secure Digital Economy) states that botnets are more frequently targeting enterprise IoT and other IoT devices with more complex processors and architectures. And indeed, the risk will increase as more devices find their way into corporate environments.
It’s vital that your enterprise is aware of the risks IoT devices present and that it develops policies to govern how these devices are procured, monitored and decommissioned. If you would like to know more about how SentinelOne’s Ranger technology can help keep your IoT devices secure, contact us today.