By Ray Overby
The Internet of Things (IoT) market is exploding, with 7 billion IoT devices already in use globally, as well as 17 billion connected devices. We’re gaining the ability to remotely peek inside our refrigerators to check whether we need more milk, turn on the AC system before we get home, and access security systems.
But along with all the excitement the IOT brings, there are also new security risks. The rise of connected devices presents a multitude of new ways that information can be shared among devices, and each device comes with its own vulnerabilities.
Strava and T-Mobile have both recently learned this lesson the hard way. Earlier this year, it was revealed that any military personnel using Strava, a fitness app, may have unwittingly shared the location of military bases, causing potential security breaches.
T-Mobile, meanwhile, discovered in August that cybercriminals had located an unauthenticated, unhidden API on their servers through the T-Mobile app itself. That breach allowed criminal hackers to steal the names, billing information, phone numbers, email addresses, account information and encrypted passwords of more than two million users.
Clearly, these new vulnerabilities are an issue, but not just when it comes to consumers and their personal information – also for businesses. With so many mobile phones and connected smart devices traveling around, in and out of offices, cybercriminals have endless entry points to infiltrate and access all the information available on these business networks.
Once a bad actor has gained access to the network, it easily becomes their playground. They can make lateral moves to access various systems within the network, including the mainframe.
From an employee's cell phone to smart refrigerator, there are a number of new ways that cybercriminals can get into corporate networks. Here are two scenarios.
The Corporate Scenario
Whether employees use a personal or company-issued phone, many organizations allow them to run simple apps that provide access to data stored on the mainframe. Think of apps like email or Simple 3270: once one of these apps is installed on an employee’s phone, the only step unethical hackers need to take is to get you to run a bad script on your phone that allows entry of a virus.
Once installed, a virus can monitor your use of the phone, log which apps you are using, log all keystrokes and log all IP addresses, both local and destination, that you’re connected to. Then the virus frequently phones home to the criminal, posting all the phone’s activity for the bad guys to scoop up and utilize.
Even if there is no specific app on the phone that grants access to mainframe data, the malware on your phone can monitor your location. When you’re at work, it will then probe the network you connect to. If the mainframe is not buried behind a heavily protected firewall (isolated from the employee public-use network), the company could be compromised.
The Three-Letter Agency Scenario
Cybercriminals may also take the route of installing rogue apps, like a rootkit, on a cell phone — and it only requires that your unlocked phone be out of your possession for a mere twenty seconds. The preferred app to load on the target’s phone is the rootkit.
One of the most frightening aspects of these rootkits is that they’re able to mask their own existence. Employees with infected cell phones likely wouldn’t know that a rootkit had been installed on their phone. Instead, the rootkit hides in the background, doing its master’s bidding.
Rootkits typically install themselves with the highest level of security access to the device. They embed themselves in many apps, so that even when the malware code itself is found and removed from one location, it is alerted in many other locations. This way, the rootkit can take action to remain in control of the device.
From this point on, the device should be considered compromised. It’s nearly impossible to cut the rootkit’s access. If you kill the Wi-Fi, it will switch to 4G. If you kill the 4G, it will wait until any other path to its master is available. All while logging all your attempts to regain control of your device, and happily reporting back to its master.
Meanwhile, the device can monitor all networks that the phone connects to and test for a mainframe IP address signature. The mainframe IP address signature is identified by the behavior and tags returned on the responding ports. In this way, rootkits can help criminal hackers locate the mainframe and retrieve the information kept on it.
Let’s say you have an app on your refrigerator that provides you with a grocery list through the Internet. A bad actor can gain access to your home network through the refrigerator’s IP address. This is sophisticated, but certainly could be worth a criminal’s time, especially if they’re using your device as an entry point to gain access to an enterprise system.
With so many IoT and mobile devices connected to corporate networks today, intruders can easily go undetected and unopposed if a business is not properly monitoring the network and effectively protecting the mainframe.
That’s why it’s so important that organizations maintain Zero Trust networks and add their mainframes to their vulnerability management processes. As we extend our businesses and digitize our physical environments with IoT devices, a perimeter-based approach to security is useless.
About Ray Overby
Ray Overby is a Co-Founder and President of Key Resources, Inc., (KRI), a software and security services firm specializing in mainframe security. A recognized world authority in mainframe security, risk, and compliance for IBM z System environments, Ray heads the KRI technical team.