Protect Your Organization from Cyber Threats
Computer systems are more powerful than ever, but they can't protect themselves. The Master’s in Cybersecurity Risk Management program at Georgetown University trains professionals for this critical role. Attend our sample class on November 30. Register Now.
Questionable understanding of the term and what the technology does can leave organizations exposed.
As the IT press tells us with monotonous regularity, the Internet of Things (IoT) is a global cyber security disaster – people might even be able to hack our electric kettle and gain access to our networks. As Ken Munro, security pen tester and presenter of the video in the previous link puts it: “Unfortunately, security and the Internet of Things aren’t often found in the same place”. It feels like we security professionals need to care a lot about IoT, then.
Let’s back up for a moment and ask ourselves: what actually does IoT mean. IBM has a great definition, calling it: “a network of physical devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity that allows them to collect and share data”.
IoT Creep into Organizations
Now, when we think of IoT, most of us are thinking of hardware like “smart home” kit – cameras, video doorbells, Wi-Fi-connected refrigerators and so on. We all know that IoT creeps into many businesses as “shadow IT” – kit that has been bought and installed by users without the knowledge of the IT team (or, in the most frightening cases, after the IT team has expressly refused to entertain the idea of installing it). The question is, do we need to care about this type of equipment?
In some ways, no. If we’ve secured our private networks properly (and, perhaps surprisingly, many of us do), it shouldn’t be possible to connect a new device into either the cabled Ethernet network or the wireless LAN without IT configuring the infrastructure to allow it in or IT at least becoming aware of its existence. One therefore finds that “shadow IT” equipment is often languishing on the “guest” Wi-Fi network which can’t see the private network at all – which means a successful attacker can only really move around the non-critical, almost sandbox-like, public-facing network and not see the company’s crown jewels.
There are two problems, though. First, even if the kit isn’t on your private network, it’s in your private premises. All this stuff is sitting on desks, pinned to ceilings and walls, and can hear (if it has a microphone) and see (if it has a camera) what’s going on. Intruders no longer have to sneak past your security guards to look around the building – they just have to find a way into your guest Wi-Fi (and I bet you’ve never done a scan and seen how badly your Wi-Fi network signals leak out through the walls and windows of the office, into the car park and over the back fence).
Problem two with IoT comes not just with “shadow IT” but even with kit that is formally sanctioned and supported by the IT team. On the face of it you probably have a reasonable level of security by putting everything behind a NAT firewall so people can’t just make an inbound connection to it from the internet. In the vast majority of cases, though you manage IT kit via a portal on the vendor’s web site – that is, out there on the internet. How do you connect to the individual devices? Easy: the management portal can’t connect inbound, so all the devices make an outbound connection to the portal. And where there’s a connection, there’s a way to do something bad with it.
Taking Advantage of IoT on the Network
“Something bad” in this sense takes two forms. The most basic one is to compromise your login credentials for the portal and simply take over management of your equipment. In most cases, though, the vendor will be sensible and enforce Multi-Factor Authentication (MFA) to make this very hard: for example, this correspondent just checked his smart doorbell (Ring, if you’re wondering – other smart home vendors are available) and was prompted for an MFA code. The more advanced one is to compromise the vendors systems via a more “traditional” hacking route and do something nasty – the classic example of which is the SolarWinds attack of 2020, in which malicious actors placed rogue code into a software update which customers then innocently downloaded.
So far, we’ve talked about the kind of IoT you find in the average home or office, but let’s take a look back at the IBM reference we made earlier. It says that IoT devices “can range from simple ‘smart home’ devices like smart thermostats, to wearables like smartwatches and RFID-enabled clothing, to complex industrial machinery and transportation systems”.
Yes, we can have the same threats posed to us from massive industrial systems as are presented by simple cameras and thermostats. The Facilities team that wants to remote-control the air-conditioner from home rather than coming on-site when alerts sound are just as big a threat to our security. Many modern cars now contain a 4G SIM and the owner can turn on the air-con from a phone app so it’s nice and cool when they get in five minutes later. While this is nice and convenient, it makes you think when you then read about researchers hacking a big truck and what might happen if this a bad actor did this in real life.
So, then, IoT isn’t all about small things. It exists in all shapes and sizes. And whether it’s a camera that someone could hack to look around your office, or a massive drill whose compromise could potentially be fatal, we have to be constantly vigilant and do something about the threat. Let’s remind people what they need to do and help them do it.