Securing the IoT: The Lights are On But the Attackers are Home

When I last blogged about the Internet of Things (IoT) just over a year ago, I pointed out that it’s not just wearable tech and fitness gadgets that present a security risk. Lighting, heating and cooling systems, smart displays, electronic gateways and vending machines – unobtrusive, almost invisible smart devices that are increasingly being deployed in homes, offices and factories – are becoming a much bigger security issue.

Take this recent story. Smart thermostats have been found to have vulnerabilities which could be used to gain remote control of the thermostat, run rogue code and also gain access to the local network. Similarly, a backdoor vulnerability discovered in millions of smart TVs could allow an attacker to inject malicious code into a digital broadcast and use it to gain access the users’ network (Incidentally, this attack vector was used in the plot of a recent CSI: Cyber episode.)

Three characteristics make these IoT systems a soft target for malicious hackers.  First, they are, for the most part, technically simple. An internet-enabled vending machine has nowhere near the same technical complexity as a smartphone or laptop – and therefore is less able to support sophisticated security solutions. In many cases, so-called security measures in these devices can be a simple 4-digit PIN code, or a default password.

Second, their manufacturers are, again for the most part, not building on 30 or more years of security-focused research and development. Thermostats and TVs simply aren’t expected to have the same sophisticated security capabilities as servers, desktop and laptop computers. A wide variety of defense mechanisms are already baked into a smartphone – and it is industry standard for manufacturers and designers to do so. While this security will never be perfect, it can still be effective.  But the people designing and building many smart devices have neither the experience nor the expertise – nor, often, the inclination – to work to similarly high standards of security.

Third, once those devices are purchased by a business, their installation and management is often not the responsibility of the IT or network security teams – it usually falls to buildings and facilities management teams.  And the skill sets and cultures within facilities management teams simply don’t marry well with robust information security practices.

So what, theoretically, could happen once malicious hackers identify such vulnerabilities?  Two directions of attack are possible through IoT devices. First, attackers could move from the physical side to the IT side – so, for example, somebody sitting in the parking lot could compromise vending machines through a wireless attack, and then jump to the payment system and steal money. Second, attackers could move from the IT side to the physical side – for example, setting the temperature controls in a building’s server room to ‘high’, which could cause equipment to overheat.  Both are viable IoT attack directions, which achieve different goals.

So, until smart device manufacturers catch up with other elements of the IoT industry, what can businesses do to protect themselves? Here are some key best practices:

• Bring together facilities management and IT security. It’s crucial that they speak to each other, understand each other, and make each other aware of what devices are being added to the network, why and how. Remember that you also need to address the physical security of any new IoT systems, not just the online side – in other words, could someone tamper with the device itself? IT security should be consulted every time a new procurement decision is made.
• Review and update the standard security measures in any IoT system. Default measures may be as basic as a 4 digit pin, or a password that is stored in plain text. Proper investigations of these measures will help your business make smarter procurement and management decisions.
• Segment segment segment. Siloing and separating different areas of your network can drastically reduce the risks of damage if an attacker does find a vulnerability in your IoT system. IoT devices should be connected via a separate VLAN, behind a firewall, and only allow remote access via VPN with decent authentication, authorization, and auditing of that access.

When it comes to security the IoT, things really can only get better.  And they need to get better quickly.