What is the Internet of Things (IoT)?
You have more than likely heard the acronym IoT, or it’s full name Internet of Things. IoT devices are internet connected devices which talk to us, each other, or another application. We have these devices in our homes: products such as the Amazon Echo or the Google Home, which provide us with information, music, and other pieces of data from multiple locations when we ask them to.
But what about in enterprise situations? IoT devices are utilised in a wide range of areas such as oil and gas for temperature and pressure analytics; truck fleets for engine and mileage diagnostics; healthcare for remote health monitoring; and retail and supply chain management for use in proximity-based advertising.
What challenges do IoT devices present?
Currently, manufactures follow no standards when creating IoT devices. Manufacturers can build internet connected devices with vulnerable underlying operating systems and services, with default or weak credentials and the inability to update the devices firmware. This can ultimately leave the devices open to compromise by a potential attacker.
For example, there are a broad range of wearable IoT sensors used in the health sector that enable remote patient monitoring, in turn creating a considerable amount of sensitive data. This sensitive data could be compromised should the IoT devices in use be built and shipped with inadequate security measures in mind.
What’s the Impact of Insecure IoT Devices?
The impact from attacks on IoT devices can be enormous. We only have to look at the following case studies to understand what the effects can be.
Mirai
First detected in 2006 Mirai was a piece of malware that targeted thousands of devices running Linux. Using its built-in table of 60 common factory default usernames and passwords, it swiftly logged into the devices infecting them. In this way, it essentially transformed each device into a “bot” in a larger botnet for use in large-scale network attacks known as distributed denial of service (DDoS) attacks. Most notably, a DDoS attack was attributed to Mirai for disrupting the heating systems for at least two housing blocks in the city of Lappeenranta, Finland.
Brickerbot
Discovered in 2017, Brickerbot was a family of malware which also attacked thousands of devices by brute forcing the password of the running telnet service. It would then log in and sabotage the device, completely halting its operation.
What can be done to minimise the threats that IoT devices introduce into my organisation?
Limit Physical Access
Where possible, try to ensure devices are out of reach of any unauthorised persons. If the devices are physically accessible, it could be possible to change its configuration or even alter its firmware with a malicious version.
Change Default Credentials
Be sure to change any default credentials that the manufacturer ships with the device to strong unique passwords. If you can also change the username then great, change it to something less obvious than the common choices of “Admin” or “Administrator”. If the device supports multi-factor authentication, ensure that’s enabled also.
Remove Unnecessary Protocols
If possible, disable any unneeded protocols, especially those that transmit unencrypted data (Telnet, FTP). The data transmitted by these types of protocol can be trivially captured and/or manipulated.
Disable Universal Plug and Play Protocol (UPnP)
UPnP is a set of protocols that can allow devices to modify your router, allowing access from outside of your network. This protocol is enabled by default on several business class routers. If this is not needed it should be disabled.
A hacker named “TheHackerGiraffe” recently performed an attack on thousands of printers across the globe by printing a message to them in support of a famous YouTuber. The underlying protocol used in this attack was UPnP.
Isolate IoT Devices
Ensure that any IoT devices are isolated from your existing production network and technologies such as firewalls and intrusion detection and prevention systems are configured and in place.
Secure Data in Transit
Make use of end-to-end encryption technologies to ensure any data that is being transmitted is secure.
Apply Firmware/Software Updates
Apply any available and future updates to the firmware or underlying software before deployment and during operation. Updates can fix anything from minor bugs to serious remote code execution vulnerabilities.
For more information on how Bridewell’s Cyber Security services can support your organisation, get in touch with our team for a confidential conversation.
Author
James Smith
Head of Offensive Security