Can one CISO ever beat an army of IoT devices?
IoT devices need not even be connected directly to the internet to become corporate vulnerabilities.
The security threat from the Internet of Things (IoT) has grown real because far too many of those sneaky IoT devices fly in under the radar. Corporate maintenance, facilities and operations departments are not accustomed to requesting IT's signoff on purchasing light bulbs or door locks. And yet, when those devices have their own independent – or dependent – communications capabilities, they are an easy backdoor for cyberthieves.
Some of the threats discussed are still hypothetical, such as using subtle light changes and slower-than-the-eye-can-detect flashes from IoT light bulbs to transit information through office windows to parking-lot-based detectors/receivers, experts say, but if it can be imagined, it can be done.
"It's possible to leak data out of a building by adjusting the brightness of smart light bulbs,” says Daniel Messier, director of advisory services for IOActive. “This means corporate data could potentially be exfiltrated outside of a secure building without needing to pass through a firewall or taking any media outside the building, etc. All that's needed is a window to the outside”.
Messier says that "understanding IoT security by application and market segment is critical to fixing problems.” In automobiles, he explains, the entertainment system accepts connections from passenger mobile devices, which download applications made in China. "You don't want those anywhere near the control systems for the vehicle."
But many more threats have already hit enterprises.
Consider the door-lock problem experienced recently by a major London-based financial institution, one that had just installed network-attached door locks. "Whenever they did pen testing and ran a scan of a particular network, all the door locks at the site crashed and failed in an open position," says Zaid Al Hamami, CEO at Immunio. "Because companies are not yet used to the fact that things like locks, cars and toasters are connected to a network, they don't expect them to be subject to the same major issues that connected devices are."
What about health care?
Thus far, we've focused on manufacturing and retail, but another huge area for IoT attacks is the health care vertical.
Al Hamami says that when the British financial institution's pen testing software got to the area where it tested ports and related openings, it tried a huge number of random URLs to try and break in. It turned out that one of the door commands was not very well hidden and the software triggered all the doors to open, he says.
At least those IoT locks worked within the network, so standard pen testing exposed the hole. But IoT experts are reporting that many of these devices sport their own independent communications capabilities, typically their own antenna, which means it can communicate with anyone on the outside while bypassing existing network security.
That's part of the dual IoT stealth threat. Either the devices avoid IT rules and safeguards by staff not thinking that a refrigerator or light bulb needs IT approvals or by the devices beaming messages home independently and thereby circumventing IT protections.
"A lot of IoT systems are in use without actually touching the IT network, sometimes using cellular modems communicating with a cloud-based platform," says Steve Hoffenberg, director of IoT & embedded software development for VDC Research. Officially, those communications are for device control and firmware updates, Hoffenberg says, but in the hands of nefarious operators, those devices can access the network on the backend while unintentionally communicating with – and receiving commands from – attackers on the frontend.
The networks won't get polluted with extensive IoT traffic noise, but that also means CISO staffs will have no visibility whatsoever, Hoffenberg says. "Imagine a factory where there might be an isolated network of these IoT devices communicating with each other. If that network gets infected, it could bring down the factory's production line."
This also means that the list of security threats from these devices is lengthy. Beyond information being stolen or networks being flooded to the point of shutdown – in effect, an internally launched sort of distributed denial-of-service (DDoS) attack – there's also the very damaging attack of controlling the devices solely with the objective of feeding a company bogus data.
"It's the spoofing of data that could cause the most difficulty," Hoffenberg says. That's because once a ship arrives at a port, it needs to be met with trucks or trains. "Shipping routes might be automatically diverted. Ships could head into a storm when they think they are heading away from it."
This forces the question: How much budget for data security can a company justify spending on tiny sensors? And given their independent states, what kind of security would be effective, let alone cost-effective? It's challenging to set these sensors up securely because they are low resource devices, Hoffenberg says. "Very small microcontrollers, low-power and limited processing capabilities."
Al Hamami argues that there are serious security concerns as devices designed for consumers enter the workplace. He gives as an example Android TV and the unlimited number of trusted Google updates that the system downloads. "No one is typically responsible for security when it comes to these," he says.
Jay Wessland, vice president and CTO for the Boston Celtics basketball team, says he has many fears about IoT. "In corporate America, we're not rushing to IoT as quickly as consumers, but the speed of acceptance is still too fast,” he says.
The problem, Wessland notes, is that IT often does not have much visibility into IoT devices. "We don't yet have the visibility into some of these newer devices," he says. "The fears and dreads are certainly there. These things keep us up at night. I don't allow any phones, tablets or watches on our LAN. We have a separate LAN for that."
For a lot of IoT devices, the focus on security comes after the fact, says Michele Pelino, a principal analyst serving infrastructure and operations professionals at Forrester Research. "They say, ‘Let's get all of these devices connected.'" The IoT requests never start with CISO teams, she says. "The drivers of these requirements come from the business side, not security. Security is not the starting point for these conversations."