The Insecurity of Things: Picking up the security slack of IoT devices

Jeep and Tesla both became IoT security guinea pigs last year, as researchers found ways to hack into the Cherokee’s and Model S’s computers to take control of the vehicles. The team researching the Jeep demonstrated they could remotely control the vehicle in several ways, from changing the music and A/C settings to cutting the car’s transmission mid-drive. The Tesla’s hackers used physical access to the car’s networking cables to achieve root privileges on the car’s infotainment system, allowing them to start and drive the vehicle or shut it off. 

 

Luckily, these researchers shared their findings with the manufacturers so they could release patches. But the recent Dell Security Annual Threat Report predicts manufacturers and users of smart vehicles that don’t feature the proper IoT security measures won’t always be so lucky. With the increase in ransomware activity targeting Android devices in 2015, the report predicts the possibility of ransomware attacks on vehicles, where the driver is unable to exit the vehicle until he or she pays a smallransom. And this is just one of many bizarre ways cybercriminals could profit from the takeover of individual or corporate vehicles.

 

With connected devices expected to reach 20.8 billion by 2020, according to Gartner, future IoT attacks will continue to model the Jeep and Tesla breaches -- they’ll focus on taking control of the device in order to use it in some unintended way. But other hacks will use IoT devices as access points for valuable data, which can be even more profitable. 

 

In 2015, Dell Security partner iPower Technologies discovered the Conficker worm malware hiding on the newly purchased body cameras of a law-enforcement client.

 

In this instance, the hacker’s goal was likely to use the body cameras merely as an attack vector for accessing law enforcement data. Whether the attacker would have used this data for a political or financial agenda is unclear. Users mistakenly assume that IoT devices are not likely initial vectors of attack and that they can trust the IoT device.  The iPower Technologies discovery demonstrated two things:first, IoT devices are often just repackaged computers and operating systems that are just as vulnerable as their home computer; second, that the manufacturers are not necessarily hyper aware of what can get onto their systems at time of production or distribution. It proved the need for diligence in defense for, and in defense of the IoT devices being deployed.  These kinds of vulnerabilities could soon lead to widespread data breaches, as BI Intelligence predicts government will be the second largest adopter of IoT technologies in the coming years.

 

The top adopter? Businesses, who BI Intelligence says can leverage IoT to lower operating costs, increase productivity and expand their products and target markets. But as the Dell Security Annual Threat Report points out, companies are already the target for an ever-growing number of cyber attacks, with 2.17 trillion IPS attacks and 8.19 billion malware attacks in 2015 alone. So if companies are going to enjoy the benefits of today’s potentially insecure IoT devices, they’ll have to put end-to-end security programs in place. 

 

There are a few ways organizations can do this:

1. Approach security holistically: Ensure data is secured and encrypted from the data center or cloud to the endpoint and everything in between. Look at endpoint security, network security, identity and access management, and more. 

2. Research your devices: Understand what your IoT devices do, what data they collect and communicate and from where, who owns that data, and what vulnerability assessments or certifications the devices have.

3. Audit the network: Level set before installing a device so you can better understand the impact on network traffic. Do an audit to understand what is currently accessing the system and when, what it does when it sees data, and what it communicates to and where. Then reassess your network performance after installing the IoT device and identify any changes on an ongoing basis.

4. Compartmentalize traffic: Employ a “no-trust” policy for IoT devices, putting them on a separate network segment or virtual LAN (VLAN) so they can’t access or interfere with critical corporate data.

5. Educate your team: As IoT evolves, it will be critical to ensure your company’s IT, security and network teams are educated about the latest devices, standards and issues. 

 

Eventually, we’ll begin to see manufacturers incorporate more security settings directly into their IoT devices, but right now, the onus is on both the consumer andthe company to protect against cyber attacks. That shouldn’t defer interested users away from IoT devices, but rather guide their strategies and policies going into product selection, implementation and maintenance.

 

IoT is one of the largest business opportunities in recent years, and organizations are right to make moves toward a connected, efficient infrastructure. Just don’t let the latest connected device’s rapid introduction to market rush your organization into a costly security mistake.