Industry Spotlight

IoT Complexity Creating New Hacker Opportunities

The internet of things (IoT) is not a glimpse into a high-tech future. It’s already here, changing the way we live and work forever. Gartner predicts that more than 14 billion connected “things” will be in use this year, rising to 25 billion in two years’ time. Many of these are installed around the smart home and in corporate buildings. But when devices are integrated with each other via automation platforms, problems emerge.

What we have dubbed “complex IoT environments” (CIEs) offer new opportunities for hackers to launch physical and digital attacks. That’s bad news for IT professionals as it means a further expansion of the corporate attack surface.

A Smarter Age

The IoT offers new possibilities only dreamed of a decade ago. The smart home and office provide a whole new level of convenience, entertainment, safety and productivity. Everything from kitchen appliances to door and window locks, security cameras to speakers are being reinvented for the IoT era. But as useful as these are in isolation, the real value of such gadgets comes when integrated to interact with each other in user-friendly smart applications. This is where IoT automation platforms come in.

Automation servers such as FHEM and Home Assistant allow devices to be integrated and controllable from a single, user-friendly UI. They log things such as ambient temperature and power consumption and enable automated control of lights, heating and more. Consider a scenario in which you ask a digital assistant to check if all doors and windows in the building are locked. This is made possible via an automation platform.

However, the more devices and actions are added to these CIEs, the more error-prone they become, making management and debugging difficult. This becomes a major problem when combined with the fact that many automation servers are not properly secured or configured.

Exposed Online

Many open source IoT automation servers don’t have security features such as password protection switched on by default, nor do they prompt the users to enable security features. This leaves them completely exposed to remote hackers via a simple Shodan search.

Attackers, therefore, theoretically could compromise the automation server to reprogram automation rules, steal hardcoded sensitive data, add new devices, infect devices with malware, harvest devices for botnets and much more. Let’s look at these threats in more detail.

Attackers could fool presence-detecting smart locks, for example, by adding a phantom device to the trusted devices list and setting it as always “present” inside the building, thus keeping them unlocked. This could be combined with a surveillance attack in which the hacker configures the IoT automation system to send messages to a supported messaging platform about activity in the building. This could include motion-sensing alerts from connected cameras around the building, providing useful intel on the best time to break in, for example.

In another scenario, a compromised automation server could be used to play the cloned voice of the occupant via a smart speaker, bypassing voice recognition checks to perform a range of functions including turning off the building alarm and opening the locks. Exposed automation servers could also provide an attacker with valuable hardcoded personally identifiable information (PII), device username/password and device API keys. These could be used to provide situational awareness of the building and hack into the wireless router to monitor data traffic flowing in and out.

Perhaps the most severe attack comes in the form of a “logic bug,” which takes advantage of the fact that once automated rules are set in place, they can go unnoticed indefinitely. Thus, a rule could be created whereby the alarm won’t sound and lights don’t go on in the event of a break in—without the knowledge of the owner.

Keeping IoT Environments Safe

It goes without saying that such threats can expose both the smart home and corporate buildings to the threat of physical attacks/robberies, and information-stealing raids. Home workers may also be targeted in stepping stone attacks designed to infiltrate corporate networks or steal sensitive info brought home from the office.

IT security professionals should therefore look to extend basic cyber hygiene best practices to the IoT smart building environment, ensuring these are basically transparent to the end user. This could include switching on password protection for all devices; replacing default passwords with strong, unique credentials; and changing other default settings such as Telnet on webcams. Device firmware should be kept updated where possible, although this can introduce business continuity challenges. That means due diligence must be completed on new vendors to ensure IoT products and systems are as secure as possible out of the box and can be maintained relatively easily.

Other best practices could include enabling encryption for storage and communications, WPA2 for Wi-Fi routers, disabling UPnP and allowing only a hardcoded list of device MAC addresses to access the network. IT teams should also conduct regular backups of the configuration and automation rule files of IoT automation servers. Network segmentation can help to protect sensitive data assets, while monitoring and self-assessments tools can be used to understand security baselines, potential vulnerabilities, risks and mitigation measures.

There’s no one-size-fits-all approach when it comes to IoT automation threats. But as the buildings around us increasingly become packed with complex chains of smart devices, it will become a vital part of the IT security function.

Greg Young

Greg Young

Greg Young is vice president of cybersecurity for Trend Micro and focuses on enterprise security, especially for networks, clouds & virtualization, IoT/operational technology (OT/SCADA), and micro-segmentation. With 30 years of IT and cybersecurity experience, Young has been a trusted adviser to thousands of companies around the world. Prior to Trend Micro, Young served as research vice president at Gartner, where he spent 13 years covering security for network and clouds. Young has received several honors for his work including the Confederation Medal from the Governor General of Canada, a mention in Network World's "12 Most Powerful Security Companies" and has been named one of Sys-Con's "100 Most Powerful Voices in Security.”

Recent Posts

What is Threat Management?

Threat management is a process that is used by cybersecurity analysts, incident responders and threat hunters to prevent cyberattacks, detect…

8 hours ago

Building Strong Defences: The Intricacies of Effective Bot Mitigation – Part 1

Learn how you can assess a bot mitigation provider's ability to detect and stop bots in our new technical blog…

9 hours ago

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a...

9 hours ago

Tax scams: Scams to be aware of this tax season

The post Tax scams: Scams to be aware of this tax season appeared first on Click Armor.

9 hours ago

Apple OTP FAIL: ‘MFA Bomb’ Warning — Locks Accounts, Wipes iPhones

Rethink different: First, fatigue frightened users with multiple modal nighttime notifications. Next, call and pretend to be Apple support.

12 hours ago

AI Apps: A New Game of Cybersecurity Whac-a-Mole | Grip

AI Apps are launching faster than cybersecurity teams can review. How can you stay ahead of the AI explosion that…

12 hours ago