Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

IoT Blindspots: The Four Devices That Should be on Your Radar

By Marcos Colon

The first connected device is said to have been a modified Coca-Cola machine that was part of a 1982 experiment conducted by Carnegie Mellon University. But if you’re looking for greater accuracy about IoT history, you can look as far back as 1832 when Baron Schilling built a pioneering electromagnetic telegraph.

Connected devices have certainly evolved over the years, but things picked up steam in 1999 when the term “Internet of Things” was coined by Kevin Ashton, co-founder of the Auto-ID Center at the Massachusetts Institute of Technology. Fast forward to today, and “IoT” is a term that’s familiar to baby boomers, millennials, and plenty of others outside the technology sphere. From home appliances like refrigerators and TVs to cars and wearables, connected devices are spreading like wildfire. Analyst firm Juniper Research estimated that 38.5 billion connected devices will be in use by the end of 2020.

As IoT devices have made their way into homes around the world, many have crept into the enterprise as well. While connected devices promote efficiency they’re also creating potentially dangerous side effects for businesses. There currently are no industry IoT standards which prescribe security requirements for IoT devices.

But rather than focus on the numerous devices that could make their way into the enterprise, let’s focus on what’s happening today.

Infosec Insider caught up with two mobile security experts who highlighted four different connected devices that should be on a security managers radar, the challenges they pose, but most importantly, what they can do about it. While each of the following devices isn’t very cutting edge as it relates to daily tasks performed in offices, the lack of visibility surrounding them creates a real issue for security managers when vulnerabilities in the devices come into play.

The Experts

Mark Bio       Zach Lanier


The Blindspots

1.Multi-Function Printers

Remember the scene from Office Space where the leading trio take the printer out into a field to demolish it with a baseball bat? Well, that has nothing to do with this, but we all do have a love/hate relationship with printers. In this case for security managers, it should be more of a suspicious relationship. According to Mark Stanislav, director of application security at Duo Security, multi-function printers (MFP) aren’t the prime example of secure devices that are typically connected to the enterprise’s network. “Often these devices connected to the same office networks as employee workstations, setup with default passwords to administrative functions, offer capabilities that may store canned, emailed, or faxed documents, and run web applications that often have vulnerabilities,” he said. MFP devices are typically used as a “pivot” for attackers to work through the network to conduct other attacks. 

2.Office Audit & Visual Equipment

As a kid, the joy I felt when a teacher would wheel a TV into a classroom is indescribable. But now, it’s almost strange if there’s isn’t a one in each meeting room I walk into. From lighting systems and podium computers to smart TVs and other displays, companies are enhancing their offices with technology to promote collaboration and bolster communication. Problem is, this technology is commonly overlooked by security managers, according to Zach Lanier, principal research consultant at Atredis Partners. Just like the office printers, this equipment is also a prime avenue for an attack. “Imagine a scenario wherein some department or user purchases a one-off smart TV for some reason, but it connects it to the enterprise network, wherein it is feeding back who know what sort of ‘user behavior’ data to the vendor,” Lanier said. Seeing as this hardware is typically managed by facility or office managers, it may not be as “locked down” as other tech that’s deployed in the business or falls within the organizational security policy, according to Stanislav. “With the increase of smart televisions and other devices that can be hard to measure the security of, IT security managers may not often realize that such devices have malware infections or is allowing an attack to lay dormant in a ‘black box’ not easily inspected,” Stanislav said.

3.Voice-over-IP (VolP)

It’s been a long and drawn out death, but it’s fair to say that analog phones will be obsolete soon enough. Voice-over-IP is now the prime choice for the modern office, but it comes with a catch; security controls must also be in place for phones, as well as patches. “Because of the types of network required for these systems, centralized call management, and routing systems are inherently exposed, which if left unprotected with weak credentials or not, being readily patched could create large scale privacy concerns,” Stanislav said. Protecting VoIP vulnerabilities is critical at a point where attackers are looking for any possible avenue to make its way into an organization’s network. These threats go as far back as 2011 when the white hat hacking group, the Chaos Computer Club, exposed the German government for leveraging malware that could be used to intercept VoIP communications. Given the attack tactic was used in 2011, chances are cyber criminals haven’t ruled it out today.

4.Video Devices

The Mirai botnet made headlines this year when nearly 500,000 IoT devices were infected with malware and leveraged to launch massive distributed denial-of-service (DDoS) attacks to take down a major DNS provider. While many of the infected devices were home routers, IP cameras were also part of the zombie army used to launch the cyber assaults. The major problem with these devices, in addition to connected cameras and DVRs, are the default credentials that are never changed, says Lanier. “As we’ve seen in the last year, these are a nightmare from a security perspective, not only from the ‘DDoS’ botnet nonsense but just in terms of having some random employee set one up to watch, say, the parking lot near their office, putting the camera on the internet – but without changing default credentials, allowing just about anyone to also watch that parking lot,” Lanier said. By leveraging weak default passwords – like “1111” or the popular “1234” – the attackers behind Mirai were able to build the botnet. 

The Advice

Identify what’s on the network
First and foremost, it’s important for security managers to identify what’s already on the network and why it’s there, Stanislav advises. “Once a baseline is determined, discussions should occur to understand if network devices are being actively monitored, patched, and secure appropriately,” he says.

Determine what needs to play nice or be isolated
Next, once you’ve identified the devices on the network, make sure to scan those devices to maintain a repository of resources tied to updates and patches associated with them, says Lanier. By creating an inventory, you can then determine which part of the inventory needs to be co-mingled with other network devices, and which may need a private network with stricter controls, says Stanislav. “At the very least, isolate otherwise non-managed IoT devices and monitor those networks accordingly, especially for any unusual behavior,” Lanier said.

Treat them like the others
Last, but certainly not least, Stanislav advises security managers to treat non-standard connected devices just like any other network-connected technology. “Gain visibility through logs, use strong authentication, patch regularly, and restrict network traffic as tightly as possible while still allowing core business functions to occur,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.