Mitigating the rising hack threat to IoT devices

In Part 1 of this article, we spoke to Sharon Brizinov, director of security research at Claroty, a cybersecurity company specializing in IoT protection, about the rising cybersecurity threat posed by the 14 billion IoT devices already in the world.

While we had Sharon in the chair, we asked him how to mitigate the threats that Claroty had identified.

The scale of the problem

THQ:

So, unprotected IoT devices can act as easy gateways to other systems, through the WiFi network to which they’re connected. But what’s the real scale of the problem right now on a on a worldwide basis? And perhaps more importantly, what will it be a year from now?

SB:

The number of IoT devices is only going to rise. Both in our domestic lives and in our corporate ones, IoT devices are a boon in lots of ways, from smart toothbrushes and refrigerators to IOT sensor networks informing digital twins. In the near future, we’ll probably see a situation where everything is WiFi connected, from door access control to your TV, and from asset management to HR. So the scale of the problem is unlimited. And everything will be hyper-connected very, very soon.

THQ:

From which premise, we can say that everything will be hyper-vulnerable, unless it’s mitigated?

SB:

Exactly. Everything will have some potential to be hacked. And not only that, it will affect the entire local network, because one hacked device means that the attacker can use it as a pivot point. So yes, definitely, we’ll be hyper-vulnerable unless we’re hyper-mitigated.

THQ:

That’s quite the horror movie waiting to be written. Cyberterrorists gain access to a building’s network and control every aspect of a building’s physical architecture and systems. Hostages by remote…

SB:

Definitely. A friend of mine has just been in Japan, and he told me that his bathroom there was fully iPhone-controlled. Think about that for a moment – fun when you’re in control of the iPhone. But if you lose that control…

It’s just crazy.

THQ:

It’s like that line from Jurassic Park – we’re currently so obsessed with whether we can make everything net-connected, we haven’t stopped to think whether we should.

SB:

Yes, that’s true. I get a notification when the washing machine is done, and statistics of how many washes we’re doing each week. That’s cool. But is it worth the risk of having a smart washing machine that might be not properly secured? I don’t think so.

Mitigations to IoT hacking

THQ:

So, what can we do? How can we do it? And are we currently doing it anywhere near enough?

SB:

We need to educate ourselves. We need to be aware, and we need to be vigilant. And we need to ask why. Why do we need a smart toothbrush? What value does each piece of corporate IoT add to the business, and is it worth the added time and budget of properly security them?

So, educating ourselves and others about the risks related to IoT devices is the first goal that I would suggest we pursue.

The second goal is to make sure your IoT and XIoT (Extended Internet of Things) devices are properly configured by the vendors, updated, and obviously patched. This is what we’re trying to push our customers to understand – the limitations and the restrictions they have, because sometimes it involves downtime in their factories. But all in all, we’re pushing them to update and patch all the versions they have in their different networks.

The third mitigation goal is to use security measures such as firewalls and intrusion detection systems. With the rise of IoT devices, you also need to monitor everything, and get some kind of observability and visibility into your network. So I would say that monitoring is very important, but also having the proper security mitigations in your network, such as hygiene with firewalls.

Segmentation is very important because, for example, in the example I gave in Part 1, with the smart toothbrush, that can be a pivot point for an attacker, if it wasn’t properly segmented in my WiFi network. It’s not currently segmented, because I’m kind of lazy in my own house, but if it were segmented in my own house, with a separate WiFi for IoT devices that are in potential danger to the WiFi I use for, say, my laptop, which is much more valuable, it would have been a lot harder for any attacker to pivot to the important information.

An important disparity

THQ:

We know there’s currently quite a disparity between software and hardware vulnerabilities. Why is that?

SB:

There’s a simple reason for that. First of all, software is a is a digital asset, so it’s much easier to transfer research, you can work on it from anywhere, you don’t have to be attached to anything physical. While hardware, you need to get some physical hardware and work on it physically. And if it breaks, then it’s done. You have one chance.

So with software, you can duplicate it, you can modify it, and you can replicate, you can send to other computers, it’s much more flexible in research. And that’s why it’s much easier to research software than hardware.

THQ:

We’ve been talking about the domestic aspect – hacking toothbrushes and the like, but this is a big problem across whole sectors of industry. What do companies need to do?

A big wake-up call

SB:

A lot of businesses are currently being given one hell of a wake-up call, when they wake up in the morning and see that everything in their network is encrypted with ransomware. There is a rising awareness of security because of that. But businesses need to get visibility on what devices they have, what type of devices they are, what versions are patched, what are not patched, what needs updates, and so on. It’s a traditional cybersecurity regimen but applied specifically to IoT and XIoT devices.

After that, make sure everything is configured with the right security mitigations such as segmentations in their network to eliminate the possibility that if one device is hacked, other devices can be hacked as well. Reduce the possibility that hackers will jump from place to place and in general make sure that their network is fully hygienic with firewalls, routers, security products. Everything is security-driven.

THQ:

The vulnerabilities that we’re seeing, are they relatively evenly distributed across sectors? Or are some sectors being hit more by vulnerabilities in their IoT devices?

SB:

I think it’s fairly distributed. The only thing that prevents researchers from finding more vulnerabilities is actually getting their hands on the equipment. So for example, getting medical devices is not easy. You can sometimes purchase them on eBay, but it’s quite expensive. So someone who is willing to do that is probably very determined for some reason, or has some very specific goals they want to pursue. But almost all internet-connected devices across all industries are vulnerable – you just need the time and the effort to research them. And usually what keeps hackers from doing so is actually obtaining the devices.

A new level of threat

THQ:

We know that ransomware is a big issue for businesses. Are we looking at a new variation of threat here with IoT devices? Or are we just looking at the same sort of vulnerabilities, just in a whole new range of access points?

SB:

Surprisingly, the answer is yes, there is new vector that was not as popular or as possible before. And that new vector is cloud connectivity. Because what IoT introduced is not a new concept, but a new scale of the cloud connectivity threat.

For instance, the toothbrush that we discussed previously is connected to the WiFi, but it is also communicating outside to some cloud, or to some IoT hub that collects all the data. Now, it can introduce a range of new problems, because first of all, my data is stored alongside millions of other people’s and companies’ data in a multi-tenant server somewhere in AWS or Azure. So if an attacker is pursuing the cloud server, and not just myself, they can get access to the data of millions of people.

So yes, the scale of IoT device use brings in a whole new problem, which is cloud connectivity. And because, as we’ve said, IoT devices right now are often misconfigured, or unprotected, they can be a much easier access point than the “front door” of systems.

 

From a toothbrush to a network, to the cloud in just a couple of pivots.

Companies with any or many IoT devices would be well advised to get solid segmentation in place, it seems – and to correctly protect all their IoT devices against the growing curiosity of hackers.