Did you know that one of the largest DDoS attacks of the century, leveraged more than 100,000 compromised internet of things devices to achieve its goal? We’ll come back to that later, for now a few questions. Did you know your thermostat could be a threat to your servers? What about your automated lighting sensors? Have you considered even your most trusted companion, the office printer could be a threat? All of these non-computer devices have something in common, they are all “smart” endpoints and part of a company’s network. This network could be your own or it could be the network of your vendor. In either case they leave you and your organization vulnerable.
The common term for all of these devices exchanging information with servers is the internet of things or IoT for short. The IoT includes printers, thermostats, light bulbs, security cameras, and almost anything that you can control with your smartphone or computer. Ever wonder how secure they are? The reality is they are not, most of the security solutions you install for networks and computer endpoints are not able to be installed on these networked IoT devices. So as you may have concluded this means there may be some risk for your organization using IoT devices, or even if you have remote employees with IoT devices on their home network.
The IoT Threat
The main threat at the moment are botnets, which are malware infected devices that are controlled by a remote host. The most recent types of botnets are peer to peer based, meaning infected devices are able to communicate with one another. The large DDoS attack mentioned above was caused by a Mirai botnet attack. The Mirai botnet took advantage of networked devices that had the default factory password on them, which happens to be a significant amount of devices. A malicious actor could launch an attack that disrupts the internet right from your own servers without you realizing it.
Another security incident that is currently happening is the use of printers as an attack vector into an organizations core networks. Paul McKiernan, print security advisor at HP, has discussed how a printer can be a threat:
“If you are not monitoring your printers, with a CIS log going to your to your SIEM, a hacker could execute malware on the printer and not on the computer which is monitored. It would wait until the document is printed – which is a stream of data that can carry malware instructions to deploy. One-time intrusion detection scans are needed for those type of things.”
Some safety tips are in order after reading about the treats your organization may be exposed to. Security for the IoT in some cases may just require you to integrate IoT devices into your monitoring efforts, in other cases it may involve moving the IoT devices to another network.
1. Log Monitoring
Most network connected IoT devices have an IP address associated with it and at minimum can have traffic logged and analyzed. Despite this many organizations do not attempt to monitor their IoT devices.
2. Password Changes
Make certain you change the password of the IoT device from the default password. Mirai was only successful because so many people and organizations do not take the time to change the default factory password. The act of a password change would deter many botnet attacks on your organization’s IoT network.
3. Stay Up-to-Date
Think keeping your network’s servers, computers, and applications is a tough job. Wait until you have to do so for each IoT device. Travis Smith, senior security research engineer at Tripwire has commented on the matter stating:
“Most devices are running on some variant of Linux, which can be outdated and highly vulnerable before the device is even released. Even if a vendor releases an update, there are no guidelines on how to handle the update. Some vendors automatically install the update on the devices as it is released. However, the majority of devices either never release any security updates, or fail to notify the owner of the device about the update. End-users need to be vigilant about finding out which devices they have installed and continually check for updates from the vendors.”
The IoT brings many exciting possibilities for business, however with so many endpoints and a lack of security-by-design principals by their manufacturers, the paradigm of enterprise security will need to expand to cover them. Until the wider industries synchronize their security efforts you need to keep safe as much as possible. If you are looking for more information, the IoT Security Foundation will have excellent resources available to you.