One of the latest trends to hit the cyber security landscape is that of the Internet-of-Things (IoT) device. We take a look at what IoT really means, why it matters to us, and what can be done to protect against the new threat that it presents.
WHAT IS IOT, WHY DO I CARE?
In short, IoT refers to the many different types of ‘Smart’ devices that surround us in our daily lives. Figuratively, ‘smart’ means they are likely to be innovative and somehow make our lives easier than they were with the incumbent ‘dumb’ devices. Literally, ‘smart’ means the device has a computer in it. Typical IoT devices that we are likely to see in our daily lives are:
Home Automation Systems - such as Wireless Thermostats and Intelligent Light bulbs
Wearable Devices - Wearable Devices such as watches and health monitors
Internet Connected Electronics - Smart TV's, speakers, and virtual assistants like Amazon’s Alexa.
What these devices all have in common is that they all need to use software written by humans, and since to err is human, this means that that they will have vulnerabilities that can be exploited. Further, to make the situation even more problematic, these devices are connected to the internet, don’t have the capacity to run anti-virus software, and function, rather than security, is the priority in their development. This means that these devices usually offer a better opportunity for malicious actors to exploit the device and get a foothold into your private world. Additionally, IoT devices are often not centrally managed and/or monitored and this often means that software security updates are rarely applied - that is of course if they are made available at all by the vendors.
“Connected devices will have vulnerabilities that can be exploited”
DO I HAVE ANY IOT DEVICES IN MY BUSINESS?
There are billions of IoT devices that are assisting businesses in doing their day to day activities. Many businesses are embracing the new opportunities that these devices bring, for example road haulage companies can use IoT to track driver’s locations and reduce insurance premiums. Other companies are utilising IoT devices in the domain of Building Management Systems, which includes control of heating/ventilation, and site security (video cameras and door access systems for example). There is also a plethora of devices that you may not think are Smart devices that exist within the enterprise. For example, Video Projectors and TV’s often have a network connection that could provide a malicious actor with the perfect backdoor and pivot point to move around your network environment.
“There are a plethora of devices you may not realise are ‘smart’ in the enterprise”
AN IOT ATTACK SCENARIO
It is useful to outline a typical attack vector to demonstrate the vulnerabilities that exist within many businesses as a result of their IoT devices. For some background, most modern meeting rooms either have a high-end projector or a TV to enable the traditional PowerPoint presentations to be shown in all their glory. As such, companies have been moving to using high-end consumer devices so their 60 inch displays and vibrant colours will wow customers and colleagues alike. However, many of these high-end devices are ‘Smart’ TV’s whose software was developed to allow home users to stream video from the internet or catch-up on the latest box sets. This means that they are running a full operating system that has been developed with consumer features in mind, and enterprise security is a secondary concern.
In this scenario, let’s imagine that a smart TV has been installed in a board room for a year now and it has been disconnected from the internet. Within the last few weeks the TV has been showing on the display that the on-board software is out of date and it urgently needs an update to improve security. Helpfully a member of staff has realised that this message was getting on the nerves of the presenters and thought the easiest way to solve the issue is to plug the TV in to the spare network connection that is sitting right beside the TV. This in itself is not an issue as of course patching to the latest software is a great security feature, or is it?
“Plugging the smart TV into the network allowed it to install important security updates”
Behind the scenes the Smart TV now happily goes off to the internet and downloads a new software update that enables a new feature of the device, voice recognition to enable hands free control of the TV. Voice recognition works by sending a stream of audio from microphone on the TV to the internet (typically a server that is geographically different from where the TV is located) where the number crunching for the recognition is actually done and the results are streamed back to the TV to decide on what operation to perform (change Channel/Volume Up Down etc). Interestingly, the loss of control of data may be considered a breach (under GDPR for example) depending on the data, its classification and the regulations a company may need to comply with.
In effect what you now have is a spy in the board room. Every conversation that you have in that room is now streamed to another company in potentially another country for detailed analysis, this seems to be a great way to lose important intellectual property or business confidential information. But the risk does not diminish over time as unfortunately there is also the potential now for malicious software to identify this device and exploit any vulnerabilities that are present and then pivot in to the connected network opening up a whole other set of risks.
This scenario outlines just a single case of how the advent of smart devices can open up a new attack vector within your business and additionally how hard it is to prevent this sort of threat being realised. Before you think, “that will never happen to us,” we’ve seen this happen on more than one occasion.
HOW TO PROTECT YOUR BUSINESS AGAINST THE IOT ATTACK VECTOR
Whilst we cannot cover all of the different IoT attack vectors (there are likely to be thousands) there are some steps that your business can take to reduce the risks associated with the rise of IoT devices.
Here are our top five things to think about when you are looking at protecting yourself from the IoT based threats:
Know what devices you have in your business – at the end of the day you cannot protect what you do not understand. This means that you should be keeping an Asset Register/Inventory and network diagram of all devices in your company so you can look for vulnerable devices and weaknesses that present themselves.
Training and Policy Definition – work with your team to recognise where the risks of smart devices lie. Specifically telling users to check with IT before connecting new devices to networks or using company credentials to create accounts on IoT portals. Users should be trained and policies should be in place to stop unauthorised connecting of devices to the network.
Invest in understanding your network and protecting it – a simple penetration test on the inside of your network can tell you a lot about what IoT devices you have, but this is fairly limited, really you want to be monitoring the network continuously to look for threatening behaviours of new devices and unusual device behaviour so you can assess the risk quickly and mitigate where necessary.
Isolation of devices – design security in from the outset. Talk to your own departments and also subcontractors about whether they need to use smart devices and if so how they manage the security of the devices. Consider implementing network segmentation and multi-layered network protection, ideally by investing in a separate network that is dedicated to these types of device where they can be easily monitored and contained if required.
Create policies that can be adhered to - don’t just ban IoT devices! The prevalence of IoT will mean that you will encounter them at some point and if you have not thought about risk mitigation then you will have an unpleasant surprise. Create some simple guidelines that users can follow to assist them in adding and managing IoT devices on the network.
While not an exhaustive list, these simple points can significantly assist you in identifying and protecting yourself against new and emerging threats.
IoT Devices need to be embraced, that way they can be managed. Managing the implementation of IoT devices securely from the outset can save a lot of headaches down the line.
THE FUTURE OF IOT AND SECURITY OF CONNECTED DEVICES
Predicting the future is difficult,however some common near-term trends in IoT are:
Automation – devices interacting with each other to provide autonomous services. For example, your car will tell your home heating to turn up more when the driver is close to home and they have the cars heating on high. These features are likely to be enabled out of the box, so it will be important to know what communications devices will carry out automatically before bringing them into a network.
Smaller and smarter – devices are likely to get smaller and more disposable and existing devices will become more powerful. Networks of devices will ‘mesh’ to provide more advanced computing power. This will likely mean devices will become harder to track, and harder to discover on a network.
More vulnerabilities and exploits – as the complexity and prevalence of IoTdevices increase so will the ability to exploit the devices. As devices become more prevalent, this in-turn will incentivise hackers to create more targeted malware to take advantage of this new generation of exploitable computers.