An Eye on IoT Security
By Ruchika Mishra
Ever heard of the “Star Trek” effect? If you show imaginary, cool, futuristic technology in a movie or show, technologists of all ages will do their best to make it come true. When Spock, in Star Trek (1970s), waved his tricorder over strange objects and said, “Hmm…”, or when Marty in Back to the Future, Part II (1989) put on self-lacing shoes and jumped on his hoverboard, or when John Anderton (Tom Cruise) in Minority Report (2002) used pinch, swipe, and pull gestures to view data, someone saw it and said, “That’s a future I want to live in!”
Fast forward to today and the rise of Internet of Things (IoT). IoT has realized a vision of a hyper-connected world – one we saw in many movies and television shows from the past 50 years. As predicted, everything from cars, to toasters, to coffee makers are becoming internet enabled. In the corporate setting, smart thermostats adjust office temperatures based on changes in weather, smart doorbells announce visitors, and vending machines send alerts when they need to be refilled.
IoT security is personal security
All this is innovative and convenient, but also extremely insecure. An attacker spying on your child through your baby monitor or a stranger peeking inside your home via your home security cameras has become a real possibility. From a consumer standpoint, IoT security worries are mostly privacy-related. While those worries are real and legitimate, they don’t typically align with threat actors’ more common goals of financial gain and corporate- or government-targeted espionage. Attackers targeting IoT devices are more likely to view those devices as a means to an end and use them as a starting point for lateral attacks. Adversaries could harness scores of such devices in a DDoS attack, or use them as a pivot point to reach more valuable targets on the network.
This is a projected future we don’t want to come true. Why IoT security is so challenging
IoT devices are purposefully designed to connect to a network. In large complex enterprises, IoT devices simply end up being connected to the internet with little management or oversight. Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. This presents a challenge for security teams because such devices must still be identified, maintained, and monitored.
In most cases however, the security teams or security operations center don’t know they exist on the network. This means that the potential for security vulnerabilities that can be directly exploited by hackers to breach your critical systems laterally move within your network is immense. “There were 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of 2019, compared with just 12 million attacks in the first half of 2018.”
Compounding the risk from lack of visibility, there is also the issue that IoT devices often have proprietary interfaces and embedded operating systems. This makes it difficult for security teams to understand if they are running vulnerable software or dealing with misconfigurations. Security patches are typically not available, and even if they are, the devices themselves may have no built-in ability to be patched remotely. They may be in physically remote or inaccessible locations, or downtime may not be an option. Another issue cited with IoT security is the use of hard-coded or default passwords. No recent incident more clearly exposed just how vulnerable enterprises are with the security of their IoT hardware than the Mirai botnet attack in 2016. Mirai logged in to devices leveraging frequently used default username/password combos and was able to amass an army of compromised IP cameras and routers, ready to do its bidding. At the time, it was the most powerful DDoS attack the world had seen.
Visibility is the foundation of IoT security
The first step in securing IoT is knowing what’s connected. Getting an accurate, continuous, and up-to-date inventory of all IoT and other non-traditional assets in your environment is the foundation that your security posture is built on. Once you have an accurate inventory, you need to understand what risks and vulnerabilities these assets bring to your security posture and only then will you be able to prioritize actions that you need to take to mitigate that risk.
Balbix is designed to discover and analyze all non-traditional asset types and provide you with relevant risk insights for each of these asset classes. By analyzing traffic on your network, the platform automatically identifies, categorizes, and computes business criticality for all assets, leveraging this and other data to generate a risk score for each device. You get comprehensive visibility into the security posture of all of your asset types and do not have to deploy specialized point products for each non-traditional asset class or worry about how you would integrate dozens of tools into your security program.