The Internet of Things was never conceived with the needs of enterprise security in mind. Then again, no one expected most of the world to leave their offices overnight and begin working from home.
But now, in a world where nearly 75 per cent of global enterprises expect at least some of their employees to continue working from home permanently, the potential threat of unsecured consumer IoT devices is taking on a whole new dimension.
“Almost everybody already had some remote access capability,” says Jon Green, vice president and chief security technologist at Aruba, a Hewlett Packard Enterprise company. “It was just that only a minority of employees were using it. Now, it’s the majority. So it didn’t fundamentally change architectures all that much, but volume got much, much higher.”
“Attackers are taking advantage of people working from home,” says Dan Demeter, a senior security researcher at Kaspersky. “Routers, switches, suppliers of IoT devices, and small home office network devices are more likely to be hacked.”
“It’s a 6 billion to 7 billion endpoint problem,” says Kevin Haley, director of project management at Symantec Security Response. Billions of these devices connected to the Internet are not publicly connected; they are connected to routers.
“They are IoT devices, though we tend not to think of them that way,” Haley continues. “They’re running Linux, and they have all the issues and vulnerabilities of a modern operating system—except that they are often running one that’s probably many years old.” And that creates a huge opportunity for malicious behaviour.
Though many router manufacturers provide patches to fix vulnerabilities, the responsibility to apply the patch is often left to the customer. It just takes one of the millions of botnets to find a target.
You (still) can’t protect what you don’t know
It’s kind of an axiom among security professionals that you can’t protect what you don’t know. And never has that been truer than with the seemingly endless numbers of new connected devices.
The classic story is a hack a few years ago of a still unidentified casino in North America. It illustrates what is perhaps the single largest vulnerability of IoT devices for enterprise security: the wormhole from one technology to another that opened and continues to widen as operational technology (OT) systems continue to converge with IT and IoT.
The bad guys gained access to the casino’s network database by hacking an aquarium control system on the casino’s main floor. An IoT device used to regulate light, temperature, and salinity in the smart fish tank had an Internet connection that occasionally connected to other smart devices in the casino.
The attackers hacked into that IoT device and, through it, stole the accounts of the casino’s highest value clients. Though the casino had robust network security controls, it never occurred to anyone that someone would ever think of using a temperature gauge in a fish tank to steal their crown jewels.
“All devices should be on an inventory list,” says Demeter, “because a hacker knows your network better than you do.”
An expanding attack surface
For context, it’s worth noting that until recently, OT systems were separate and distinct from enterprise IT networks and not connected to the Internet. Much of the OT environment, especially in manufacturing, has its roots in the long evolution of factory floor automation.
OT is essentially the technology that runs virtually every industrial machine or device, home appliance, manufacturing system, train, plane, and automobile. They were what’s called air-gapped, meaning they were isolated from traditional enterprise computer networks, so that a failure in a machine on a factory floor, for example, could not affect the factory’s business network operations.
The Internet changed all that. IoT enabled OT and IT to be connected at the hip through an Internet connection. The management efficiencies were obvious. OT systems could now be monitored and managed, and problems diagnosed and even repaired remotely, from a centralized enterprise network dashboard. But while the advantages were immediately recognized, the downside wasn’t.
The wormhole this created meant that both the OT and IT systems could now be accessed over the Internet from anywhere by anyone with an Internet connection. Basically overnight, the attack surface for corporate data centres, networks, and critical infrastructure systems like gas pipelines, electricity grids, and water systems exploded in both size and opportunity.
The firewalls that formerly protected both IT networks and OT systems were breached. And the reason was obvious: Though enterprise networks have traditionally been secured, IoT devices are not.
“It’s all that information that is being sent from these devices to the cloud, often unencrypted,” Haley says. “It’s easy to intercept. I think the issue is really the ability to get and stay resident on an IoT device. That’s usually for a denial-of-service attack. You have an army of bots, but the ability to use that to launch other types of attacks, to put malware on devices, steal information, or launch a ransomware attack. And if you’re on a router, you are controlling the network traffic. You can steal it. You can redirect people. That becomes incredibly risky and where the real damage will get done.”
In that sense, “it’s the cloud that has really changed security more than anything else,” says Aruba’s Green. “Where most organizations had on-premises email servers long ago and then shifted to Office 365, where you need to have a username and a password, now, increasingly, all that stuff lives in the public cloud. So just the credential plus an Internet connection is good enough.” Fortunately, multifactor authentication, which has become standard on cloud-based services, has increased the overall security of these environments.
A general brokenness
The security threat posed by unsecured IoT devices should not be underestimated. MITRE Corp., a cybersecurity firm perhaps best known for developing the ATT&CK chain framework, maintains an online directory for the computing industry, the Common Vulnerabilities and Exposures list, or CVE. The CVE is a list of publicly disclosed computer security flaws, with each identified flaw assigned a CVE ID number.
As of this writing, there are currently 161,313 total CVE records; this number grows for two reasons, the first being that CVEs don’t get removed when they are patched, so they remain as historical records. The second is that every new software or hardware release is likely to come with new CVEs that add to the total. This results in the number of CVEs growing dramatically every year. Many of these security flaws are related to IoT devices that can be exploited to penetrate enterprise networks or industrial OT systems. And remember that orphaned IoT devices found in consumer networks are likely to never get patched.
Adding to what Green calls “the general brokenness” of IoT security is the post-pandemic move of millions of people from the office to working from home. In some cases, the situation would almost be considered funny were it not so dangerous.
One of the most common home security alarm systems, for example, was found to be hackable in multiple and easily done ways. In fact, the system could be entirely hijacked and reprogrammed by a hacker with even minimal programming skills. Many consumer device manufacturers have a poor track record of correcting security flaws.
Green points out that another layer of the threat comes from the fact that the cloud in conjunction with working from home is changing former security policy definitions of what constitutes anomalous behaviour. “Certain things have become more difficult, like anomalous remote access,” Green says.
“Enterprise security might have tracked kind of behavioural aspects of that and said, ‘Wow! It’s unusual for this person to be connecting at 3 a.m. while they’re working from home. But maybe that’s now becoming normal.'” Best practices now would be for the system to issue a challenge, such as the requirement of a second authentication factor, but IoT devices generally cannot respond to such a challenge.
Post-pandemic user behaviours are rendering many of those policies inefficient and raising havoc with the user experience. “It’s difficult to change architectures,” Green says, which complicates any solution. In this example, enterprise security is caught between a rock and a hard place. If workers who want to get online at 2 a.m. are blocked, for example, the pushback on the security policy can drive bad behaviours such as seeking workarounds to bypass it.
Securing home networks
The good news is that there are both existing and forthcoming private and public solutions to address the threat of unsecured consumer IoT devices. Among those are the installation of remote access points for virtual private networks (VPN) and the deployment of virtual desktop infrastructure (VDI). Remote access points are installed in the user’s home or other location. They essentially mirror the function of the enterprise VPN and connect the user directly to that user’s secure office Wi-Fi system, bypassing the need for complex software. VDI solutions highly restrict user access to valuable data by ensuring that data cannot be downloaded or copied in any effective way.
In the public sphere, Congress recently passed the Internet of Things Cybersecurity Improvement Act. The act requires federal agencies to increase the security of IoT devices owned or controlled by the government. The law mandates that the National Institute of Standards and Technology (NIST) develop and publish standards, including minimum information security requirements, for managing cybersecurity risks associated with IoT devices. Given the power U.S. government procurement exerts, the bill promises real reform in developing better security in IoT devices.
Finally, the movement toward creating a new security architecture based on principles of zero trust, called Secure Access Service Edge (SASE), promises to revolutionize enterprise network security by providing a secure, software-defined system that extends from the data centre to the cloud to edge architectures and IoT. While SASE is several years and several industry-standard protocols away from implementation in consumer devices, the solution it offers for the threat of consumer IoT appears to be on, or just over, the horizon.
Until then, perhaps the best way all of us can help protect our businesses and ourselves is to be smarter about all our smart devices. That means practising good cyber hygiene. Always update your devices and equipment to the latest patches. And if it’s not required, never connect a device to a corporate network. That’s the best protection you can offer your organization. And yourself.