IoT is transforming offices, campuses, and factories, but also brings warnings that the cloud-connected security camera monitoring the storage room could be a threat. How realistic are these warnings, and how much is hyperbole?
For answers, Smarter MSP checked in with Tyler Moore, Tandy associate professor of cyber security for the Tandy School of Computer Science at the University of Tulsa.
According to Moore, that seemingly innocuous-looking connected coffeemaker in the breakroom can indeed pose risks for several reasons.
“The harm isn’t just that you won’t be able to brew coffee if your internet-connected coffeemaker is hacked. If that coffeemaker is connected to your internal network, which isn’t properly segmented, then it could create an opportunity for the attacker to move laterally and compromise more valuable resources within the organization,” details Moore.
IoT devices could be weaponized to launch attacks
“The device could be recruited in a botnet and be used to harm others by sending email spam, launching Denial-of-Service attacks, or serving as a stepping-stone for attacking others,” notes Moore. He points to real-world cases like the infamous Mirai botnet, which breached hundreds of thousands of vulnerable security cameras and commandeered them to launch DDoS attacks that crippled high-profile websites like Twitter, Netflix, and GitHub.
There have been increasing signs in 2019 that some of the dire warnings about IoT devices could be coming to fruition. Microsoft recently issued a warning that Russian state operatives were using IoT devices as launching pads. Accessories such as IoT printers, video decoders, and other office items were being used to penetrate networks.
Microsoft described the attacks in a press release:
After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.
Medical devices and healthcare are also targets
A study published this month shows that 82 percent of healthcare organizations have experienced an IoT attack. Fiercehealthcare.com says:
“The integration of internet-connected medical devices across healthcare, which is expected to increase rapidly, poses significant cybersecurity risks.”
The problem with determining whether the coffeemaker or the pacemaker poses the highest risk is that a vulnerable device would need to be identified before an attack. That can be tricky.
“Many of these IoT devices have latent vulnerabilities. We typically don’t find out about them until they are actively exploited. Such information asymmetries are common in cybersecurity and one of the main reasons why it is so hard to do a good job defending against attacks,” explains Moore.
Crucial steps to mitigate IoT dangers include adopting basic security controls, such as establishing an asset inventory and adopting a patch management system to ensure that vulnerabilities in the identified devices can be rapidly fixed once discovered.
Meanwhile, manufacturers will continue to struggle with the balance of making a device safe and priced affordably.
“Some are doing a good job, but some aren’t. Again, looking at the Mirai botnet, there’s an example of an IoT manufacturer that ignored cybersecurity entirely, and society suffered the consequences,” observes Moore.
Cybersecurity economics make life difficult
Moore believes the economics of cybersecurity needs to be addressed. Part of this is that consumers know that manufacturers generally lack cybersecurity expertise.
“Buyers know this, so they refuse to pay a premium for an IoT device that makes strong security claims since these claims are viewed skeptically. As a result, cybersecurity is not rewarded in the marketplace, so manufacturers instead focus on features that can be more readily compared, such as ease-of-use and price,” says Moore.
As for the future of IoT and security? Moore sees it as a continual struggle.
“The reality is that we were struggling to keep up before widespread IoT adoption, and we will continue to struggle once IoT devices become pervasive,” states Moore.
Photo: Ekaphon maneechot / Shutterstock