The Internet of Things (IoT) – Intrusions by Proxy

The arc of technology has always been propelled by two main objectives, speed and convenience. And sure, it’s nice to be able to see who’s ringing your doorbell while miles away and still be able to interact with them, or turn the lights and air-condition on while you’re still driving home. It’s convenient to have a refrigerator that can give you an inventory of what’s inside while you’re still out and about so you can pick it up at the store, or just order it for you directly.  In a work environment it’s nice to be able to remotely monitor or work on things that took an actual physical presence in the past. It’s nice to effectively be in multiple places at once. But what happens when those conveniences are leveraged to work against you, at lightning speeds no less? Welcome to the world of the Internet of Things (IoT).

The one thread connecting all these wonderful IoT smart devices is connectivity. Unfortunately, connectivity also happens to be the lifeblood of cyber attackers, whose mission it is to somehow, in some way, reach out and affect you remotely, and with a little added luck, reach your network and gain access.  And it didn’t take long for some to figure out that using some kind of innocuous device right under your nose that doesn’t raise any of the typical cybersecurity alarm bells is a fantastic way to achieve that goal.  The IoT device is their proxy already in place, whether it’s obvious culprits like printers, faxes or other office machines, or hidden threats that no one ever thinks about or connects with cybersecurity.

The reality is the IoT security problem is only getting bigger, because while IoT attacks are certainly not a brand new phenomenon, they are gaining steam at a breakneck pace. Just look at the horror stories we’ve heard over the last few years; a casino got hacked by leveraging the connection of a smart aquarium thermometer in their lobby; attackers controlled an insecure thermostat device to freeze residents in their homes in Finland for weeks; a toy doll in Germany called “My Friend Cayla” had a Bluetooth device that attackers could use for reconnaissance to listen to and speak with the children while the doll itself would ask questions like their parents’ names and where they went to school; hacked baby monitors;  hackable medical devices like cardiac implants; remote attackers gaining acceleration, deceleration and steering control of a Jeep; even hackable sex toys which made customers’ data accessible via the Internet, including explicit images, chat logs, sexual orientation, email addresses, and passwords.  And with estimations that there will be tens of billions of IoT smart devices in use over the next few years, it certainly seems like imagination may be the only boundary if IoT devices don’t start getting treated like the cyber threats they are, to both the personal and professional worlds. Even the recent shutdown of one of the largest oil pipelines in the US due to a ransomware attack seems to be connected to an IoT failure according to preliminary reports.

Flaws in Design

IoT smart devices are often flawed right from the jump.  IoT designers typically don’t even have the thought of cybersecurity on their radar during the design and production phases.  Their goal is to make a product that serves the certain function(s) they envision as fast as they can, so they can get it on the shelves and profit from it as quickly as possible. This has to be where the first paradigm shift toward cybersecurity must occur in the burgeoning IoT world.  Devices need to be tested by cybersecurity professionals, strengthened, and then tested again until they are done right. And yes, GDF can help with this kind of testing.

As consumers, it’s something we have to start to collectively demand, otherwise, speed-to-market and profit margins will always win out over cybersecurity concerns, and the consequences could be devastating.

What Can You Do?

There are some simple steps you can take to substantially lessen the risk posed by IoT devices:

Default or Simple Passwords

When an IoT device needs to be connected to a network, chances are there is going to be a password required. Unfortunately, due to the innocuous nature of many IoT devices, and the well-established propensity for people to loathe creating new complex passwords for anything, many times users choose to let the default password stand or use something simple since the device is seemingly harmless and not deemed a cyber threat, like ”thermostat” for instance. Since default passwords are very easy to find on the Dark Web, and simple passwords are very susceptible to brute force attacks, it is imperative to use the same strong password rules you would use for important things like bank accounts and business networks. For a refresher, that means a minimum of eight characters (longer is better) consisting of a mix of letters, different cases, numbers and special characters. And don’t use the same password you use on other devices/accounts, it could lead to a broader attack if the password is ever compromised.

Unpatched Security Features

Even though many IoT device designers/developers don’t initially take the time to focus on cybersecurity in their rush to quick profitability, if a flaw is discovered and abused, it could lead to a financial hit. To stem the bleeding, they will come up with a fix and push it out as a patch or update. If a patch/update is available, make sure to implement it as soon as possible.  If it’s a device used in an organization, IT has to make sure to stay on top of the updates just like they would for critical digital assets. All it takes is one open door for an intruder to gain access to the network.

Flat Networks/Segmentation

The worst IoT attacks are the ones which allow intruders to access control systems or systems containing sensitive or critical data. To avoid opening this kind of attack vector, IoT devices should be segmented from those other critical systems/networks whenever possible.  Otherwise, an intruder could have the ability to gain initial access to the IoT device and then move laterally to the network where they can wreak all kinds of havoc.

Bluetooth Devices

Bluetooth devices are notorious for having security vulnerabilities. Imagine a medical implant being compromised allowing a hacker to manipulate its function, or simply turn it off.  It could be life threatening. By the same token, compromising the shortrange connectivity of a myriad of Bluetooth devices could lead to a network intrusion. This is why it is best to set up the non-discoverable mode when using Bluetooth-paired IoT devices, and don’t forget to patch the firmware for Bluetooth-enabled devices whenever the manufacturer makes security patches available.

Keeping/Checking an Inventory of Approved Network Devices

An important step in keeping your network safe from unruly IoT devices is to know they are connected to the network in the first place. To maintain that essential visibility, periodic inventories should be conducted to identify all the connected devices and verify they have all been approved.  This visibility will also allow for patch and update management, which is also crucial for maintaining a strong security posture as it relates to the world of all those potentially problematic IoT devices.

The bottom line is that IoT devices can indeed be quite helpful and time saving by adding a level of convenience once thought unimaginable, but they can also be dangerous. Unfortunately, the onus falls largely on you to ensure it’s more of the former, and none of the latter.

GDF Can Help

For all your cybersecurity needs, call GDF at 1-800-868-8189 today, or fill out the form below and we’ll contact you.

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cybersecurity and emergency incident response, with years of experience assisting clients in the government, banking, legal, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to call 1-800-868-8189 for immediate help. For more information, visit GDF's cybersecurity page.