From Mirari and Satori botnets to Spectre and Meltdown vulnerabilities, the Internet of Things (IoT) has inarguably become tech’s number one target. With no end in sight in the rise of the IoT, we have to begin to wonder what the realities of IoT concerns are.
The BBC’s recent big budget thriller, McMafia, even showed us how vulnerable enterprises can at every angle when it comes to connected devices. In the show, a hacker was able to access files and take control of Mumbai Port’s IT network through a vending machine with inferior security credentials. A few short years ago, the idea of someone hacking into a major system through the most mundane and overlooked of devices would have seem too futuristic to put any real thought behind. However, while it may still sound a bit implausible to some, the threat to critical infrastructures is very real. As more devices are connected and additional sensors are introduced across industries, the ability to compromise a corporate network through an unpatched IoT connected device poses a real threat.
Unfortunately, we don’t have the hover cars and teleportation technology that people once thought we would have. But, we do have an interconnected web of devices so sophisticated, and complex, that it might as well be on par with any futuristic device that something like the iconic television show, The Jetsons, prepared us for. However, now we are tasked with facing the realities behind what it means to be connected and all the IoT hacking that comes along with it.
Across the globe, there has been a rapid adoption of IoT devices in nearly all sectors. Yet, the majority of networks are wholly unprepared for this massive influx of new devices, and are even less prepared for hackers that attempt to access corporate networks and user data for nefarious purposes. A 2017 Gartner report predicts there will be 20.4 billion connected devices in existence by the end of 2020, and will see growth each year for the foreseeable future. While these devices will help enterprises flourish by bringing about a multitude of benefits, they also present growing security risks. As networks become more dynamic and continue to grow, it gets harder to identify and manage all of the devices connected to them.
We’ve already seen the damage that can happen. In 2016, the Mirai Botnet, one of the largest Distributed Denial of Service (DDoS) attacks ever, distributed malicious malware that compromised CCTV cameras via infected connected devices. And before we could recover from the attack, we were hit with Satori, an IoT botnet that is considered to be the ‘little brother’ of the Mirai botnet, in 2018. Satori sets to infect ARC professors in order to steal Ethereum cryptocurrency by hacking into online mining hosts and secretly replacing their wallets – in other words, a virtual pickpocketer.
Mirai and Satori show the potential malicious actors can have when armed with malware and lots of unsecured IoT connected devices to target. As more and more devices come online the threats will only continue to increase. More devices mean more attack points into the enterprise as well as more devices that can be infected and then used to perform DDoS attacks.
And that isn’t the end. The new year has been hit hard with malicious software. Earlier this year, the Spectre and Meltdown vulnerabilities were revealed. Both are CPU bugs in the form of hardware flaws that allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory. While patches have been released to help mitigate issues caused by the flaws, the performance implications of the patches for these vulnerabilities are less likely to be visible in the individual endpoint sensors in IoT, industrial control systems, and smart cities. It is far more likely to begin to be noticeable at the edge of the network where some initial data processing is done. To be fair, to get access to these IoT devices, attackers need to have compromised the network already to get into them. Or they have to compromise the supply chain, or compromise apps or widgets that can run on the device, but as you can see, hacking into systems is no issue for modern hackers who are experts on all things IoT related.
As McMafia showed us, critical infrastructures are no strangers to IoT risks. Examples of a few concerns to critical systems include multiple water supply plants hacked between 2011 and 2016, ad the U.S. power grid that was infiltrated 17 times between 2013 and 2014. However, the most worrying of all is the 2016 hacking of a nuclear plant. There is a huge variety of IoT devices entering organizations every day that IT departments do not always see, let alone manage. And with BYOD becoming more popular, consumerization and IoT have led to the proliferation of devices with their own IP addresses and processing power – often with little security. These devices provide a gateway for hackers to enter into network systems.
Now, new smart devices can even join networks at will. Everything from a smartphone to a security camera. These devices are unmanaged and become rogue endpoints, significantly increasing the chance of a breach. These devices become targets for hackers, ready to be compromised. Rogue users could use the LAN to access the server. Or, more likely still, unmanaged devices can be hacked and the data manipulated, allowing network access.
Many are currently, and rightly, concerned about protection from outside threats getting into important networks. The latest firewalls, intrusion prevention systems, advanced protection systems all play a part in defense, but as more and more connected devices enter networks, it is now critical to look at threats from within as well. If firms do not have proper infrastructure to support IoT devices, they risk exposing their corporate networks to malicious activities. This can lead to devastating effects, especially if hackers uncover vulnerabilities in IoT devices within critical infrastructure.
A good starting point for businesses as they take their network security efforts seriously in today’s hyper-connected world, is to increase awareness of all the devices on the network and implement centralized management systems that help ensure compliance. The mantra, “See it, assess it, control it” – must be taken on for defending the organization from all manner of devices and their intentions.