25th April 2021, Kathmandu
Matt Dunn, the associate managing director for cyber-risk at Kroll, discusses how to keep networks safe from insecure IoT devices.
As the pandemic continues to fuel the shift to remote work, numerous manufacturers have capitalized on this movement to create a multitude of handy internet of things (IoT) devices. While these devices may make our home and work lives more convenient, they greatly expand the attack surface for cybercriminals. Here, we’ll take a look at the best cybersecurity practices that can thwart attacks.
IoT devices introduce a host of vulnerabilities into organizations’ networks and are often difficult to patch. With more than 30 billion active IoT device connections estimated by 2025, it is imperative information-security professionals find an efficient framework to better monitor and protect IoT devices from being leveraged for distributed denial of service (DDoS), ransomware, or even data exfiltration.
When the convenience of a doorbell camera, robot vacuum cleaner, or cellphone-activated thermostat could potentially wreak financial havoc or threaten physical harm, the security of these devices cannot be taken lightly. We must refocus our cyber-hygiene mindset to view these devices as potential threats to our sensitive data. There are too many examples of threat actors gaining access to a supposedly insignificant IoT device, like the HVAC control system for a global retail chain, only to pivot to other unsecured devices on the same network before reaching valuable sensitive information.
While phishing remains the most popular attack vector, reinforcing the need for humans to be an integral part of strong security programs, IoT devices now offer another avenue for cybercriminals to access accounts and networks to steal data, conduct reconnaissance, and further, deploy malware. Recent cases have shown examples of this:
- In 2019, cybercriminals were able to gain access to a casino’s database of “high roller” clients when they compromised a smart thermometer in a fish tank in the casino’s lobby and then pivoted into the casino’s network;
- Vulnerabilities in a home alarm system led to cybercriminals conducting a DDoS attack by using these devices in a botnet as a mechanism to spread malware;
- And, a corporate executive’s external Bluetooth-connected speaker allowed hackers to listen in on his sensitive conversations while he worked from home.
Key Security Controls for IoT Devices
The manufacturing cycle for the design of IoT devices rarely incorporates the implementation of security during the development process. Some of the primary methods of IoT compromise and security measures to remediate these vulnerabilities include:
1. Default Passwords
As with most new devices that connect to a network, many IoT machines provide default passwords. Unfortunately, with the volume of stolen IP addresses available on dark web markets, if a user is still using the default password (also available on the dark web) or a simple password, which is susceptible to brute force attack, this may be an easy way for threat actors to gain further access to a network and, potentially, the sensitive data maintained on that network.
2. Unpatched Security Features
Unpatched hardware and software have been a prime target of cyber-threat actors for years. Recently, we’ve seen how unpatched operating systems led to the global WannaCry ransomware attack on Windows machines; unpatched software platform vulnerabilities being exploited, such as those experienced by users of Citrix; and, even in 2020, unpatched Eternal Blue exploits were used by threat actors to deploy large-scale ransomware attacks on compromised networks.
3. Flat Networks
The success of IoT attacks is usually achieved when a compromised IoT device is connected to a network that contains sensitive or critical data. IoT devices should be segmented from other systems on the network to limit a threat actor’s ability to move laterally to where they can cause the most damage, both financially and to infrastructure.
4. Network Inventory
IT teams should conduct periodic inventories of their networks to identify which devices are connected and verify if they have been approved. This will also allow teams the ability to patch those devices now that they know they’re active on the network. We have seen too many situations of threat actors having access to a network for months (and longer) when there has been uncertainty regarding unauthorized devices or accounts accessing a network. This unaddressed situation allows threat actors unfettered access to quietly conduct reconnaissance and identify not only critical data which has monetary value, but also to learn configurations and security features, and to deploy additional malware.
5. Bluetooth
Many IoT devices use Bluetooth as the method to connect to a network. However, Bluetooth has security vulnerabilities that could leave these devices open to attack. This is especially concerning when thinking about the potential impact on Bluetooth-enabled medical devices and implants, where a compromise could lead to the theft of PII/PHI or threaten the health of the patient if the device was disabled. It is highly suggested that users set up the non-discoverable mode when using Bluetooth-paired IoT devices. As hackers continue to identify vulnerabilities to Bluetooth, it is important to patch the firmware for Bluetooth-enabled devices as those security measures are issued by manufacturers.
