Now a huge part of enterprise technical infrastructure and embedded into every part of our lives; IoT technology is at a tipping point in terms of security.
Forbes reports that as much as 29% of organisations have already implemented IoT solutions, a figure expected to balloon to 48% for 2018. However, the arms race between manufacturers to venture into this area has left millions of devices insecure and un-patchable, potentially putting a lot of our sensitive data at risk.
A huge problem with IoT devices is that no one entity has any incentive, expertise, or even ability to patch the software once it's been shipped. The device manufacturer is already shipping the next version of a product, leaving little thought to devices already in circulation.
Furthermore, a general lack of understanding and non-implementation of basic security precautions when using such devices can result in hundreds of millions of devices sitting on the Internet, unpatched and insecure, wide open to attack and manipulation.
Weaknesses can include...
A lack of password complexity, poorly protected credentials, and a lack of two factor authentication can aid an attacker in gaining access to a device.
Insecure Network Services
Do you have ports open that shouldn't be? Could the device be harnessed to conduct Distributed Denial of Service (DDoS) attacks?
Lack of Transport Encryption
Un-encrypted data, possibly even passwords being sent over the air with no protection.
Physical Security Concerns
Are cameras showing weak points of access? Stock levels? Building capacities? An attacker could likely leverage this information for malicious purposes.
Insufficient Security Configuration
This is a lack of ability to check the device for potential security holes. Can you add new users, remove existing ones? Check login times? Lock the device down to local networks only? An inability to perform these operations shows poor security practices by design.
The lack of ability for a device to be updated presents a security weakness on its own. If no updates occur; this can mean that the devices remain vulnerable indefinitely to the security issue that an update would otherwise address. Further, if the devices have hard-coded sensitive credentials, if these credentials get exposed, then they remain so for an indefinite period of time.
What can businesses do?
Businesses that have connected devices, such as smart-factory or smart-warehouse equipment, need to be aware of the threat and to make sure their devices have security protection. Consider implementing the following guidance to mitigate the threat of cyber attacks via IoT devices.
Many IoT devices ship with default admin credentials that are rarely changed by end users - sometimes from not being prompted to, other times to maintain simplicity when accessing the device. Password lists exist online detailing the login information for hundreds of these devices. To access one that still holds the default password is trivial for an attacker to breach. Simply adding your own details when accessing the device will bolster the security by a big factor. Consider using Three Random Words as your password - and include symbols, capitals and ideally no dictionary words.
Reputable manufacturers of IoT devices will issue bug-fixes and patches that will seal identified vulnerabilities in the software. Some devices can actually have their underlying operating system manipulated remotely, rendering any password protection futile. Patches can fix these problems, but only if they are applied. Internet research is essential here to make sure that the company you are buying from is reputable, and aware of the need for regular patching.
As discussed, an attacker can gain complete control over an internet connected web camera, but is there any need for the device to be live-streaming across the internet? Consider separating your CCTV, or any other sensitive or potentially vulnerable network from others within the organisation to prevent unauthorised access.
Logging and Monitoring
With a desktop computer or laptop you may notice evidence of compromise from its day to day use – this is much more difficult to see with embedded devices. Network and perimeter monitoring can go a long way in identifying anomalous connections to rogue IP’s, or a lot of traffic being sent from the devices.
IoT devices can be harnessed or targeted in Distributed Denial of Service (DDoS) attacks. If your website lies at the heart of your business, consider securing additional protection against a DDoS attack. Attackers can either target you directly or you may just get caught in the crossfire when they go after your Internet Service Provider (ISP).
Most breaches, hacks, and ransomware result from human error; someone somewhere within the organisation got sloppy or lacked proper security education—or both. If employees have not been sufficiently trained to recognise social engineering tactics, it can be relatively easy for an attacker to obtain sensitive information. As an example, one company recently hired an outside organisation to pretend to be their IT department, who then sent employees emails asking for their user passwords. Out of 200 employees, 113 gave their passwords immediately.
The South West Regional Cyber Crime Unit is comprised of dedicated individuals who investigate serious cybercrime, offer advice and guidance to small businesses, and work with a range of partners to prevent people from engaging in cybercrime. For more articles and case studies like this, sign up to our Regional Cyber Briefing / Cyber Intelligence Report, and follow us on LinkedIn and on Twitter (@swrccu).
We also have a node on the Cyber Security Information Sharing Partnership (CiSP), and we strongly encourage organisations to sign up for real time cyber threat information in a secure, confidential and dynamic environment https://www.ncsc.gov.uk/cisp.