INTERNET OF THINGS ARTICLE - PROTECT NETWORKED IOT DEVICES OR PROTECT THE NETWORK FROM IOT DEVICES?
Protect networked IoT devices or protect the network from IoT devices?
IoT devices tend to greatly increase a company's attack surface, but you can minimize the risk.Nikolay Pankov
June 4, 2021
In Into the
Mind of
an IoT Hacker at RSA Conference 2021, security specialists Itzik
Feiglevitch and Justin Sowder brought up the issue of vulnerability of various IoT devices and
the
special treatment they require from corporate cybersecurity. They offered a few stunning
examples
showcasing the state of IoT security in today's businesses.
Few cybersecurity specialists keep track of their corporate IoT hardware. More often than not,
smart
elevators, all sorts of sensors, IPTV, printers, surveillance cameras, and the like are just a
motley collection of disparate devices, each with its own OS and proprietary protocols, and many
lacking any sort of proper control interface ... you get the picture. Your company may have
thousands of them.
Why IoT devices introduce extra cybersecurity risks
IoT devices are not always regarded as belonging to the relevant infrastructure; although a
network
printer normally counts as a network device, the same isn't true of "smart building" components
or
even IP telephony systems. To be clear, such devices tend to be connected to the same network as
corporate workstations are.
Staff coming and going may complicate the situation even further. The greater the turnover in
cybersecurity and IT, the better the chance a new person won't know a thing about the IoT zoo
connected to the network.
Perhaps worst of all, some of those devices are accessible from the outside. The reasons may be
legitimate - vendor control over some aspect of a device; telework availability; maintenance -
but
having devices on the corporate network on the one hand, while being permanently hooked to the
Internet on the other, is risky.
It may sound paradoxical, but the very robustness of modern electronics is another risk factor:
Some
IoT devices have very long life spans and are running in vastly more complex security
environments
than they were designed for.
For example, some devices run obsolete, vulnerable operating systems that are no longer updated
-
and even if they can be, updating may require physical access (which can range from difficult to
nearly impossible). Some feature unchangeable passwords, debugging backdoors erroneously left in
the
final firmware release, and many other surprises to spice up the life of an IT security pro.
Why attackers take an interest in IoT devices
Cybercriminals find IoT devices interesting for several reasons, both for host company attacks and for attacks on other companies. The main uses for compromised smart devices are:
- Setting up a botnet for DDoS attacks;
- Mining cryptocurrency;
- Stealing confidential information;
- Sabotage;
- As a springboard for further attacks and lateral movement in the network.
Case studies
Researchers have described some cases that are fairly ridiculous. These relate to both standard
devices connected to the Internet and quite narrowly specialized ones. Two prominent examples
highlight ultrasound machines and devices using Zigbee protocols.
Ultrasound machine
Modern organizations working in the healthcare sector make use of numerous IoT medical devices.
To
test the security of such devices, researchers bought and tried to hack a used ultrasound
machine.
They needed only about five minutes to compromise it; the device was running on a version of
Windows
2000 that had never been updated. Moreover, they were able not only to obtain control of the
device,
but also to gain access to the patient data the previous owner hadn't deleted.
Physicians often use medical devices for years, or even decades, without updating or upgrading
them.
That's understandable - if it ain't broke, etc. - but these devices don''t merely operate for a
long
time in the first organization that acquires them; they are often resold and continue to
operate.
Zigbee protocols
Companies use Zigbee networking protocols, which were developed in 2003 for energy-efficient
wireless communication between devices, to build mesh networks, and often to connect various
components within a smart building. The result: a gateway somewhere in the office that controls
dozens of different devices, such as, for example, a smart lighting system.
Some researchers say a cybercriminal could easily emulate a Zigbee device on a regular laptop,
connect to a gateway, and install malware there. The cybercriminal would just have to be within
the
coverage area of the Zigbee network - for example, in the office lobby. Once they controlled the
gateway, however, they could sabotage work in any number of ways - for example, by turning off
all
of the smart lights in the building.
How to secure a corporate network
Security officers are not always sure whether they should protect IoT devices on the corporate
network or protect the corporate network from IoT devices. Actually, both problems need to be
solved. The important thing here is to ensure that every item and action on the network is
visible.
Establish corporate security requires first identifying all devices connected to the network,
correctly classifying them, and, ideally, analyzing associated risks.
The next step is, of course, network segmentation based on the results of the analysis. If a
device
is necessary and irreplaceable but has vulnerabilities that updates cannot fix, then you'll need
to
configure the network to deny vulnerable devices Internet access and also to remove their access
from other network segments. Ideally, use a Zero Trust concept for segmentation.
Monitoring network traffic for anomalies in relevant segments is also critical to your ability
to
trace compromised IoT devices being used for DDoS attacks or mining.
Finally, for the early detection of advanced attacks that employ IoT devices as anchors in the
network and attack other systems, use an EDR-class solution.
For any enquiries, please contact Kaspersky Head of Public Affairs, APAC, Ms. Genie Gan, at [email protected]