The IoT: Gateway for enterprise hackers
A very merry Christmas could give way to a not-so-happy New Year security hangover for enterprises, once a few million more Internet of Things (IoT) devices are unwrapped and migrate from homes into the workplace.
So, a webinar this week hosted by The Security Ledger titled: “Who Let the IoT in?: Finding and securing wireless devices in your environment,” was designed to offer some advance advice on how to cope with it.
Paul Roberts, founder and editor in chief of The Security Ledger, who moderated the event, began by framing part of the problem: Although the IoT is now well established, many of the legacy tools enterprises still use to identify and manage vulnerable devices were, “designed for the ‘Internet of Computers’ rather than the IoT.
“They’re poorly suited to spotting the radio frequency and other wireless communication protocols that connected smart devices use to communicate and function,” he said.
In other words, if you can’t see it, you can’t manage it. So, much of the discussion centered on what to look for and how to find it. Ted Harrington, executive partner at Independent Security Evaluators and one of three panelists, said that consumer IoT devices, “are being brought into the enterprise in an unsanctioned, even if unintentional, way.”
And the warning is that these devices are indeed a clear and present danger to enterprises. They remain notoriously insecure, which makes them the weak link that can allow attackers to hack into them and then “pivot” too much more important and valuable parts of the network.
GET YOUR DAILY SECURITY NEWS: Sign up for CSO's security newsletters
The panelists noted that besides the devices themselves, another element of the expanded attack surface is being created through relatively new kinds of wireless networks that cater to low-power IoT devices like electric meters or smart watches, which emit small amounts of data.
Bob Baxley, chief engineer at Bastille Networks and another panelist, said the, “long-range, low-power, low-data-rate, nearly free protocol,” offers an alternative to WiFi and cellular, which have different strengths and weaknesses but are both “power hungry.”
He said the new networks amount to, “a huge slice of the performance space,” that until recently was not covered by other protocols or vendors. “Once you have it, you can start deploying sensors widely for pennies, and it opens up a whole bunch of new use cases for a whole bunch of things,” he said.
So, of course, new and established companies are flocking to it. Baxley mentioned Sigfox, LoRa and NarrowBand IOT, but added that, “huge players like Comcast, Verizon and Orange have publicly announced they are getting into this space.”
Of course, enterprises are likely aware of their IoT devices that differ from the consumer market – Baxley mentioned the sensors that handle the physical security system, such as door locks, and said other automated systems include everything from forklifts to lighting to the HVAC environmental controls in a data center.
But Harrington noted that there are IoT devices mainly aimed at the consumer market that are common in enterprises as well.
“The prime example is the smart TV,” he said. “You can’t walk into a conference room without seeing a large monitor for presentations or conferences. They’re generally the same things that a consumer would buy.
“And what’s compelling is that TVs have a tremendous amount of computational power. Adversaries like that because it enables them to do a lot of things,” he said.
To avoid getting burned by IoT vulnerabilities, the panelists said IT departments need to know what is connected to their internal environment. Right now they frequently don’t.
Baxley, whose firm uses a software-defined radio sensor to scan for radio-enabled IoT devices on a network, told of a job his firm did for a major credit processing company, where the director of IT security, “was sure that the data center would be free of unknown wireless. It was very secure – even the employees were escorted in.
“But as soon as we turned on the sensors, we saw that all the HVAC units were beaconing ZigBee (a short-range wireless protocol) – you could clearly see them on the UI,” he said.
“Theoretically you could ‘talk’ to them from the parking lot, which makes it an interesting attack vector.”
Baxley added that the newer, cheaper, wireless protocols on the market have a much longer range, which would allow attackers to operate from farther away. “Now I don’t have to be 200 meters away, I could be two kilometers away to talk to it and mess with it (a device),” he said.
The panelists stressed that the risk is not so much that an individual device is compromised, but that it provides a gateway to the network. Harrington called them “stepping stone” attacks.
“Even a modestly sophisticated attack is not after the end victim directly,” he said. “The proverbial question is that if someone hacks my light bulb, who really cares? But what it means is that it is a pivot point into the network. You find the weakest link in a trust chain and then leverage trust or access to get to the final victim.”
And, as security experts have been saying for years, IoT devices are rarely designed with security in mind. The third panelist, Drew Fry, manager of PwC’s Cyber Threat Detection and Response practice, noted that, “the development cycle – the time engineers have to design and develop the chips, select the protocols and then go to market – is so insignificant that to stay competitive, they are going to the easiest, most vulnerable thing. Not because they don’t care but because it works. It’s easy to make Telnet work. It’s easy to use built-in, default root passwords,” he said.
But while the IoT threats are obviously expanding and evolving, both Fry and Harrington said security basics remain the same.
“We’re seeing the same problems we saw 20 and 50 years ago,” Fry said, “where we have to go back and find whether devices are being properly patched, physically secured or being allowed to communicate without restriction. We need to make sure this is something we are looking for, and that if an attacker is using something like this device, we can detect and analyze it.”
Harrington said he believes the IoT, even with the new wireless protocols involved, doesn’t even amount to a new paradigm. “The IoT has changed many things,” he said, “but from a security perspective, it’s the same challenge as dealing with any other security risk. It requires a programmatic approach – threat modeling.”
That, he said, has four components:
Identify the assets your organization cares about protecting.
Identify your potential adversaries – nation states, organized crime or other kinds of groups.
Understand your attack surface – the IoT is just one of them.
Know how adversaries are likely to attack.
“That approach will help companies think through this and any security problem,” he said. ”Then you can start thinking about tools and techniques.”