We live in a society that is rapidly increasing its technological profile for the purposes of increased convenience. We are connecting our fridges, thermostats, security cameras, and even some children’s toys to the internet for various individual reasons that all boil down to an increase of convenience and in some cases efficiency. The Internet of Things is a topic that has existed in the IT community for years, and has recently started seeing rampant coverage in the media in the past few months; ramping up recently, I believe, with the hacking of two million Internet connected Teddy Bears. Now you might ask, why in the world would a children’s huggable bear be connected to the internet? And why would I put a teddy bear that is connected to the internet, that can record video and audio, in my child’s room? Doesn’t that seem like a bad idea? The short answer is yes, it’s a terrible idea, hence the coinage of the phrase “The Internet of S***”. I’ve included the link to the original article below.
Taking a step back, “The Internet of Things” refers to every device that is currently connected to the internet, whether that be computers, smart phones, smart TV’s, IOT Teddy Bears, or IOT fridges and dishwashers. As such, they are designed to be accessible from outside of your home network (or corporate network) and have functionality supporting that. Most consumers today are under the impression that manufacturers put in the due diligence to secure their devices, and test them prior to release and have an expectation that the final product be secure and only accessible by them. Unfortunately, that is not the case in today’s world. Most IOT devices ship with a wide range of vulnerabilities that can give an attacker remote access directly from the internet, without the user being involved; this includes software vulnerabilities and default admin credentials that can be used as a backdoor. Basically, if it’s an IOT device, it’s vulnerable in some fashion. If it is not vulnerable today, it will likely be made so due to lack of patches and updates being made available from vendors. Additionally, they can’t be secured like normal endpoints, as most of these devices can’t install security tools. “The biggest and most obvious security challenge with Internet of Things (IoT) devices such as connected medical devices is the inability to easily upgrade or patch them” (Zou, 2017).
The bottom line here is that you should think carefully about what IOT devices you purchase and connect inside your home or business. If not secured or implemented properly, they will be a foothold for attackers to get into your network or to steal your data. Sadly, this isn’t science fiction or paranoia anymore, this is rapidly coming a wide spread issue. So how do we properly secure these devices? That topic is largely up for debate depending on scenario, and with the home vs. business settings. Below are some methods and guidelines to get started.
IOT Security Breakdown
Step 1:
Step one is always the same. Discover what you have on your network, if you don’t know what you have, then you don’t know what you need to protect. Or inversely what you have that could be a threat if not properly managed. On a home network it should be relatively simple to find out what you have that is internet connected. A corporate environment proves to be more challenging, which is where companies such as Senrio can come into play and help security departments with discovery. Additionally, if you find yourselves being the company that is manufacturing IOT devices and want the ability to manage your fleet of products, Senrio has a solution for that as well. A small plug to Patrick Gray for running his podcast “Risky Business” on which I first discovered Senrio.
Step 2:
Segment these devices from your main network where at all possible. In some business cases this isn’t possible due to the need for devices to integrate with business systems (that’s a business owned, and hopefully accepted, risk) but these cases should be rare. Advisement is that these devices should be on a separate network entirely, for example if you are on HOMENET-1, you want them on HOMENET-2, or a separate VLAN works as well. Business’ should consider the use of Network Access Control (NAC) solutions on their Wi-Fi networks in order to control what devices are allowed to connect in the first place, in order to stop rogue IOT devices (or devices in general). Robust NAC solutions may give IT administrators the option of what VLAN to place an IOT device on when detected, at a minimum it is always recommended to keep an eye on what devices enter and leave your network from a BYOD stance.
Step 3:
Check for defaults passwords, and change them. In a home environment, check the manual before connecting the devices as often they come with default credentials that allow access over the web. Make sure to change the account password to include 12 characters at a minimum, and if possible create a new user account and disable the default account. In a business setting, tools such as Nessus may be utilized with a password list to scan for default credentials; this should be done on a regular basis, putting the IOT discussion aside for a second.
Step 4:
This is the spot you would expect to see advice such as “implement a management solution”, except in the IOT space that does not yet exist (to my knowledge). Instead, we must rely on monitoring the network traffic that these devices generate, with a focus on anomaly detection. As SANS likes to say, “Know Normal… Find Evil!”
Step 5:
Build a threat model for the device(s). What does the device do? What is acceptable? What risks does it inherently pose (passive recording of all data and shipping it out)? From the threat model, establish compensating and limiting controls around the device to bring the risk down to an acceptable level. Or simply decide to exile the device from the network if the risk it presents is too great. For example, C-Level executives may be advised to remove an Amazon Alexa from their board room where they conduct the most sensitive of discussions. In reality the risk here may be minimal, but this is an example meant to spark critical thinking.
References
Drolet, M. (2016, June 20). 8 tips to secure those IoT devices. Retrieved March 05, 2018, from https://www.csoonline.com/article/3085607/internet-of-things/8-tips-to-secure-those-iot-devices.html Enterprise Security for IoT. (n.d.). Retrieved March 05, 2018, from http://senr.io/index.html Khandelwal, S. (2017, February 28). Internet-Connected Teddy Bear Leaks Millions Of Voice Messages and Password. Retrieved March 05, 2018, from https://thehackernews.com/2017/02/iot-teddy-bear.html KNOW YOUR IoT SECURITY RISK How Hackable is Your Smart Enterprise?[PDF]. (2016). ForeScout. Palmer, D. (2016, October 27). IoT devices can be hacked in minutes, warn researchers. Retrieved March 05, 2018, from http://www.zdnet.com/article/iot-devices-can-be-hacked-in-minuteswarn-researchers/