By Andy Norton
IoT devices are already being used in hospitals, and any tampering with them can cost human lives. Some of the devices infected with ransomware during the WannaCry epidemic were imaging nurse call systems, infusion pumps, patient monitors and gateways. Given their vulnerabilities, and the ease with which bad actors can take advantage of them, it’s clear that not enough is being done to secure IoT devices.
Statistics show that despite this worrying fact, IoT devices are projected to grow to a very large percentage of the total number of Internet-connected appliances.
Accordingly, nobody should be surprised that they’re a growing target for cybercriminals. Infections of these smart products will likely continue, as there is no apparent change of behavior by the device manufacturers, vendors or users.
Poor Security Makes IoT Devices Prime Targets
IoT devices in the workplace range from voice assistants to thermostats to security systems. Aberdeen reports that the number of attacks against these products is rising and a quarter of all cyberattacks will explicitly target IoT appliances by the early 2020s.
To understand their weaknesses, we need to explore how IoT devices are designed to work. Once the device is powered on, it needs to be configured properly so that it integrates both to the Internet and the private local network (Intranet). Depending on their implementation and conditions, different configurations are necessary in order to provide the most effective protection. Also, these devices are delivered with default, pre-configured access credentials that are needed to configure the device, set up access permissions, and customize its features.
While network resources, including IoT devices, that contain or have access to sensitive information should only be accessible through a secure account or via a connection that is made through the local network, in practical terms we see that most of this functionality is accessible via web panels or remote connections protected with only default or weak credentials. This allows devices to be easily hijacked using automated methods like password brute force attacks.
As a result, unsecured IoT devices and those for which default settings have not been updated, constantly expose their services and open themselves up to being tracked using search engines like Shodan.
IoT Devices Can Be Hacked in a Matter of Seconds
FreeRTOS is among the most common operating systems used by IoT devices. In the fall of 2018, a multitude of FreeRTOS security bugs were uncovered. This discovery is one of the most useful illustrations of inadequate IoT security.
Disclosure of these vulnerabilities made a large percentage of smart products immediately vulnerable to attack. In total, researchers identified a total of 13 bugs within the base operating system alone. Exploit opportunities ranged from remote code execution, information leakage and denial-of-service.
Following public disclosure of the flaws, the FreeRTOS support team issued the necessary patches. The problem is that not all vendors implement fixes such as these in a timely manner. And even if each IoT device manufacturer releases a patch, not all users will apply them to all affected devices. Because most devices lack an auto-update option, device owners need to take the initiative to stay on top of their IoT devices’ security. They’ll then need to follow step-by-step update guides, which can be complex.
The consequences of IoT intrusions can be devastating. Many IoT devices perform duties related to security or automation. Given such functionality, attackers can not only monitor compromised smart security devices, but also reconfigure them in ways that render them useless. For example, bad actors can manipulate security cameras and alarm systems to turn off live feeds or disable sensors. If the attack proves successful, burglars can then easily break into physical stores or homes.
Specific Attacks on IoT Devices
Bad actors commonly pursue one of three goals:
1) Device Hijack
All IoT devices are part of a network that interacts with other hosts by providing them with services. Security IoT devices, in particular, are used both as network entry points and for controlling physical security appliances. What this means is that successful infiltration will expose the entire network and all resources contained within it. By compromising one device and using only a few lines of code, bad actors can access a cloud-hosting solution, for example, and reconfigure it to distribute dangerous malware to all available hosts.
Malicious actors also can compromise IoT devices and then shut them down in order to compromise a network. In the case of production environments, hijacking devices can thereby sabotage the whole facility.
2) Botnet Recruitment
Attackers connect compromised IoT devices to a malicious network called a “botnet.” When instructed, bad actors will conduct a DDoS attack using the botnet to take down systems or entire networks, seriously disrupt the operability of a business.
For example, the Mirai botnet has evolved into a family of malware threats that uses IoT botnets. The end result is a massive international network of hosts that can be used to launch devastating DDoS attacks capable of taking down targets such as corporations and government agencies.
3) Land and Expand
Once a criminal has a foothold in a network via an IoT device, they can spread laterally to other devices, including computers and servers, to access information such as sensitive user data, IP, credentials, and confidential corporate data. In addition, when the devices that are responsible for physical security are hijacked, attackers can more easily gain physical access to a secured location. Examples include door access controls, security cameras and control gates.
How to Secure Your IoT Devices
Security teams need to assume that IoT devices are inherently poor at securing themselves, so taking added steps to protect other network devices and the data stored there is crucial.
But merely patching known bugs is not enough since not all of the attacks are carried out through exploiting known vulnerabilities. System administrators need to carefully plan and coordinate how the smart infrastructure is integrated and how it fits in to the deployed network infrastructure. With this in mind, a best practice is to isolate IoT devices on the network, with access only to those services and systems they need to function.
The IoT devices, by definition and purpose, act as network servers – they provide certain functionality and, just like regular servers, their work needs to be monitored. This can be done by implementing network traffic analysis solutions that watch for suspicious network activity that can reveal a possible intrusion.
In addition, using two-factor authentication on all accessible infrastructure will significantly decrease the possibility of brute force and dictionary attacks. Finally, limit physical access to key security devices in order to block inside threats.
In summary, IoT devices are here to stay, and will only increase in number and in functionality, continuing to expose all other systems on the network as well as sensitive data. Security teams need to develop and consistently implement strategies to manage and maintain these vulnerable systems until manufacturers finally start including adequate security into their design.
About Andy Norton
Andy Norton is the Director of Threat Intelligence at Lastline. He has been involved in cybersecurity best practices for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye.