The Internet of Things is an exciting and innovative technological evolution that is changing the way we live, do business, and interact. The IOT provides improvements in efficiency, convenience, and overall business processes. Such technological advancements are welcomed and ought to be embraced. However, from a cybersecurity standpoint, the IOT causes more problems and challenges than it fixes. Any organization actively adopting the IOT must make security a key priority.
There is huge market demand for the IOT. Research conducted by the Boston Consulting Group concluded that IOT spending will increase between 2x and 4x from 2015 levels by 2020. As such, companies are producing products as fast as they can get them to market. Often this means products are not being developed with security in mind; vulnerabilities in the code are common.
Similarly, when companies purchase smart devices and integrate them, often they do not consider the security risk they may pose. Perhaps the device is innocuous; a one off integration that connects to the network to maintain quality. As more and more IOT devices are connected to the network, the larger the attack surface becomes. Thereby providing hackers with increased opportunity for exploitation.
Illustrating the risk that IOT exposes are two recent use cases: A casino breach via a smart thermometer and the Mirai IOT Botnet
Use Case: Casino
A recent casino breach was reported in which their high-roller database was accessed and stolen by hackers through exploiting the aquarium thermometer. Through reconnaissance efforts the hackers discovered the thermometer and exploited it to access the corporate network. Once in the corporate network they traversed around and discovered the database and pulled it off the network.
This perfectly illustrates the risk that IOT introduces into the enterprise environment. A random, seemingly innocent device is not developed securely. Said device is deployed and connected to the corporate network. Hackers discover it, exploit it, and then steal data.
Use Case: Mirai Botnet
Recognizing the security deficiencies in the IOT, the folks behind the botnet scanned the internet looking for open Telnet ports. Once identified, they then attempted to login to those devices using a variety of common default usernames and passwords. On devices they were able to successfully log into, the Mirai tool was installed and turned the device into a bot.
A majority of the devices that became bots in this digital army were IOT devices. Again, this is because they were not built with security in mind and Telnet is an easy way for administrators to remotely access the system for maintenance. Once all the bots in the botnet were in place, DDoS attacks began against the servers of video game Minecraft.
So in this case, the IOT was not a means by which the hackers launched a data breach, rather it hijacked corporate assets to be used in an attack.
What can you do?
- Don’t be afraid of the IOT, just make sure you consider the security implications
- When IOT products are purchased, ensure they are isolated to only the part of the network to which it requires access
- Include IOT products within the scope of your annual pen-test
- Change default passwords
- Patch all devices, internally and externally facing