The Crux of Convenience: IoT Risks to Enterprise Organizations
As the saying goes, “The ‘s’ in IoT is for security.” Given the implications that the internet of things (IoT) has on our security posture, many IT practitioners have rightfully renamed the “internet of things” to the “internet of threats.” The last three decades of technological innovation have introduced devices that enable automation and efficiency, cut overhead costs, promote communication, and offer instant data access, but they also impact our risk landscape. In 2020, researchers assessed that 30% of all network-connected endpoints within an average enterprise environment were IoT devices. According to Verizon’s 2020 Mobile Security Index, 67% of survey respondents said their organization is at a moderate to significant risk from IoT device threats.
Many IoT devices were not created with security in mind, resulting in a multitude of concerns, including patching capabilities, authentication parameters, unencrypted traffic, and the introduction of 5G capabilities. IT professionals have a lot of work to do to ensure IoT technology is properly implemented, configured, managed, and maintained.
Technology leaders should be aware of risks associated with IoT and should explore mitigations to minimize their attack surface.
Unsecure IoT devices are low-hanging fruit for attackers.
IoT market expansion pressures manufacturers to quickly release new products within an ever-evolving technology environment. When OEMs are under pressure to bring innovative technology to the market quickly, they may neglect non-functional requirements such as security considerations. While unsecured devices are prominent throughout the IoT risk landscape, they can significantly impact your organization through regulatory penalties, expensive remediation, reputational damage, loss of revenue due to downtime, or unauthorized data selling. As captured in the below chart (Figure 1), enterprise IoT devices walk hand-in-hand with security issues.
Security researchers recently found that almost all IoT traffic is unencrypted. Most IoT devices maintain low compute and low memory capabilities, posing challenges for encryption at scale. While Public Key Infrastructure (PKI), in conjunction with digital certificates, is starting to improve the problem, IoT devices without data encryption capabilities give way for attackers to intercept or modify data in transit, leading to potential data exposure or corruption.
Recent research suggests that over half of IoT devices are vulnerable to medium- or high-severity attacks. Traditionally, security teams remediate such vulnerabilities through patching the software. But many IoT devices cannot be centrally managed or configured, making them difficult to patch. Unit 42 researchers found that 41% of attacks exploit device vulnerabilities. This scenario underlines the availability of viable targets at the disposal of malicious actors, potentially enabling unauthorized access, theft of proprietary or sensitive data, or malware propagation.
Many IoT devices come out of the box with default credentials as their primary security layer. Oftentimes, employees with good intentions, but no security experience, purchase and deploy IoT solutions without the IT team’s knowledge, leaving unsecured devices vulnerable to attacks. A quick search on Shodan reveals that there are approximately 52 thousand internet-connected hosts that only need default credentials for authentication. This oversight enables nefarious actors to access unsecured devices and networks attached to that device, allowing them to exfiltrate data for monetary gain or intelligence-gathering purposes.
When IoT risks meet IoT threats, organizations suffer.
The Mirai botnet is the most well-known botnet that specifically targeted and leveraged IoT devices. Mirai’s first wave of activity began in 2016, taking many major websites, and even a substantial part of the internet, offline through a series of distributed denial-of-service (DDoS) attacks that exceeded 1 Tbps by infecting over 600,000 vulnerable and unsecured IoT devices at its peak. Mirai is classified as a self-propagating worm and a botnet due to its ability to replicate itself through finding, attacking, and infecting vulnerable IoT devices and controlling infected devices through a central set of command and control (C2) servers, respectively.
In 2017, the alleged author of Mirai released their source code, leading to other cybercriminals conducting more Mirai-like DDoS attacks. In November 2019, security researchers identified a new botnet, dubbed Ttint, based on Mirai code that used two Tenda router zero-day vulnerabilities (CVE-2018-14558 and CVE-2020-10987). Ttint utilized 10 Mirai DDoS instructions coupled with 12 remote access control instructions that enabled improved capabilities, including router intranet access, setting traffic forwarding rules, user network access hijacking, leveraging a remote shell as a local shell, and encrypting communication to C2.
Given their broad deployment, increased botnet activity surrounding IoT devices has become more common and will likely continue if they remain an easy target.
In January 2017, cybercriminals leveraged a phishing campaign to deliver Cerber and Dharma ransomware variants, which affected 123 of Washington DC police department’s 187 surveillance cameras. The attack occurred just before the 45th presidential inauguration and left the cameras unable to record for several days. City employees resolved the issue by taking the devices offline, removing the malicious software, and restarting systems at each affected site.
Threat actors often target entire networks rather than a single system; however, given the prevalence of social engineering campaigns and unsecured IoT devices on unsegmented networks, cybercriminals may attempt to propagate ransomware through IoT devices in the future.
Unauthorized Access and Data Theft
In April 2018, threat actors accessed an unnamed casino’s network by exploiting a flaw within their lobby aquarium’s smart thermometer. After obtaining access, attackers scanned for additional vulnerabilities, moved laterally throughout the network, and successfully identified and exfiltrated a high-roller database. It’s possible that the database maintained personally identifiable information and private details about the affected members.
While many organizations continuously assess their security posture, IoT devices occasionally fall through the cracks. If proper controls are not in place, threat actors will continue to leverage unprotected IoT devices to access networks and potentially steal sensitive or proprietary data.
Fortifying your IoT footprint is imperative.
IoT devices play a leading role in digital transformation, and we have already gotten a taste of the advantages they offer. On the other hand, without massive effort from the security side, IoT devices will continue to pose a significant risk to organizations. At this point, the ball is in our court to harden these devices and enable them to do less harm than good. Technology professionals should take the following steps to minimize the attack surface for IoT devices:
Scan devices for vulnerabilities. To protect IoT devices, organizations must first understand if and how they’re vulnerable. Performing continuous vulnerability scans helps to ensure the health of networks and their components. Vulnerability scanning enables identifying components in devices and creates an inventory that can be monitored and checked against vulnerability databases. If any components are vulnerable, security teams are notified to update the device.
Monitor endpoints. The more IoT devices that are connected to a network, the wider its respective attack surface. Leveraging endpoint security monitoring and management solutions can help identify a potential threat before it’s too late. Effective Endpoint Detection and Response (EDR) tools enable security teams to monitor endpoints, prevent attacks, detect potential threats, and remediate security events.
Deploy next-generation firewalls (NGFW). In a typical attack scenario, once communication is established, compromised devices send a signal to the attacker-controlled infrastructure and await instructions for further action, which can include installing additional software and spreading malware to other devices. Many next generation firewalls inspect C2 traffic, which can deny a compromised device from communicating with a threat actor’s C2, automatically remediating threats without security team intervention.
Leverage SCEP for certificate management. Certificate deployment and management presents a complex and time-consuming task. Leveraging the Simple Certificate Enrollment Protocol (SCEP) streamlines this process and enables IT teams to automatically issue certificates for devices by standardizing the exchange with the certificate authority (CA).
Conduct continuous asset discovery. As devices regularly connect, disconnect, and reconnect to and from corporate networks, the enterprise network topology is much more dynamic than it once was, leading to blind spots. Organizations should invest in solutions that enable asset discovery best practices to illuminate every nook and cranny within their network and identify potential risks or threats. Asset discovery solutions identify hardware devices and the possible connections they share with other assets, aiding security teams in identifying previously unknown devices.
Create a dedicated IoT network. Network segmentation enables organizations to reduce their attack surface by dividing their network and obtaining granular control between IoT devices and other IT assets. Using virtual local area network (VLAN) configurations or NGFW policies to implement network segments decreases the likelihood of an IoT device’s attack from compromising other machines or servers that maintain sensitive, private, or proprietary data.
A fortified IoT security posture will not happen overnight, but as organizations implement solutions to achieve digital transformation and agility, security should enable, rather than hinder, innovation. IoT security requires a cultural shift between business strategy, governance, and security. Harboring collaboration between teams, and baking security into every arm of the business, empowers organizations to thrive. In the end, everyone has the same goals, and perceiving security as a necessity renders those goals more achievable.