Exotic, new connections: Embedded devices
Exotic, new connections: Embedded devices

Prepare for a host of new networking problems as devices never meant to be computers become network connected, reports Deb Radcliff.

Phones, vehicles, traffic lights, medical devices, buildings, even weapons – everything's getting plugged in these days. This connectivity might make sense from a management and efficiency perspective. However, these devices – often chip-enabled and communicating over multiple protocols and channels – present risk management problems that keep IT pros up at night.

“The security implications of network-connected devices are already starting to get played out,” says Jeff Wilson, principal security analyst with Infonetics. “At the Black Hat conference in August, a demonstrator launched an attack from an internet-connected Linux-based printer into the network, for example.”

Research firms, including Pew and Infonetics, don't track numbers indicating the dominant types of nontraditional devices that are network enabled. However, researchers agree that more and varied types of endpoints are connecting. Ironically, many of these nontraditional devices are managed by smartphones that are predominantly employee-owned.

As is already being experiencing with bring-your-own-device (BYOD) phenomenon, protecting against unknown devices and their traffic will be one of the biggest challenges for enterprises, says David Koretz (right), VP and general manager of Mykonos Software, now part of Juniper Networks.

“It's the perfect storm,” he says. “Criminals are already starting to attack nontraditional devices, while the number of devices per consumer goes up and could quickly become 10 to 1. At the same time, the number and type of company-owned devices behind the network firewall, such as HVAC [heating, ventilation and air conditioning] and security systems, is also growing exponentially.”

During a “war texting” course at Black Hat, researcher Don Bailey, a senior security consultant with iSec Partners, demonstrated how to sniff command-and-control traffic to determine that the type of device held by a participant was an iPad. Then he entered into the short message service (SMS) control channel to collect the billing information, unit identification number and other details. He also showed how he could issue instructions to the device and turn it into a text spammer, among other things.

“Everything will ultimately be a computer – medical devices, industrial monitoring systems, home alarm systems, automated tellers, even car security systems,” he said. “Unfortunately, all computers can be hacked.”

For example, the health care industry has long used divergent networks to run biomedical devices, like radiology systems, attached to a hospital's campus network. This equipment is not subject to the same security management requirements as other patient systems because of different regulations, says Barbara Filkins, a security consultant specializing in health care.

What's new, she says, is that many devices used to collect data on a patient's condition are more mobile and quite possibly employee-owned, which she calls the “makings of a very big risk management problem.”