The rising hack threat to IoT devices

There are currently just a hair under 7 billion human beings on planet Earth. By comparison, there are already 14.4 billion Internet of Things (IoT) devices (including XIoT, or Extended Internet of Things). And by their very nature, IoT devices are connected, so even the innocuous devices that come with ‘gimmick’ wifi connections, can act as a portal to more or less everything else. For hackers, that means IoT devices are likely to be the next golden ticket to all the information on your laptop, your work system, your company and your life.

Claroty, a cybersecurity specialist in IoT protection, recently published a report on XIoT security. We sat down with Sharon Brizinov, director of security research at Claroty, to find out whether XIoT devices – combined with fundamental human nature – could be a next-generation system weakness.

Why the tide is rising

THQ:

We understand that XIoT vulnerabilities are rising. Is that just because that there are more XIoT devices generally, or is there more to it than that?

SB:

There are four answers to this. First of all, yes, there are more connected devices every year, so there’s a natural wavefront – more devices will in ordinary circumstances equal more vulnerabilities. I’m sure that you’re using more and more devices. Every passing year, you have more phones, your refrigerator is connected the internet, you know, everything is becoming smart and internet connected. So yes, definitely, we’re seeing many more IoT devices. And that’s why attackers are interested in exploiting them.

The second reason is that hackers love a new challenge, and the challenge of IoT security is becoming more interesting for attackers. So they’re trying to exploit more devices. And while doing so, they are encountering different vulnerabilities. Most of them are low hanging fruit, so they’re reporting the vulnerabilities as well. And that’s why we have more vulnerabilities in total.

The third reason is that vendors are producing more IoT devices and a lot of them are not properly secured. They are being produced and manufactured with low or low quality security, and in many cases, they’re misconfigured. That gives an attacker an ability and the option to exploit them.

But the fourth reason is simple: many users do not take the time to properly secure their devices. And so attackers are being given more options, and more chances to exploit them.

The human factor

THQ:

You can see that from the manufacturers’ point of view, there’s a disincentive to go too heavy on security, so as to not to make it too expensive to sell. But is there a human element at work here too – people who then buy those devices going “It’s a refrigerator – why do I need to secure my refrigerator?”

SB:

Yes, for sure. I can testify to that from my own experience. I bought a new washing machine, and it came with a Bluetooth connection and an iPhone app. Even more, my wife bought a toothbrush which has Bluetooth connectivity, and it is connected to her iPhone. Now she can track how many teeth she’s brushing every day and for how long. So you know, it’s becoming almost ridiculous, what devices are internet connected, and the possibilities that now an attacker will take control and execute ransomware on my toothbrush is just hilarious. So similarly, asset owners are in many cases surprised and think that they do not need to secure their new technology. But that’s part of the human element – and as technology progresses, they need to understand that yes, from the toothbrush upward. They need to treat any connected device in the same way and secure it.

THQ:

We were going to ask – exactly what can hackers do with the data they get from hacking a toothbrush?

SB:

Apart from the simple hardware hacking challenge? That’s the thing people don’t sufficiently understand. Sure, an attacker can hack a toothbrush, and it sounds funny. But the toothbrush is connected to the WiFi. And the Wi Fi is connected to the entire smart home.

Then from the toothbrush, they could exploit other devices – and that’s the real danger, because everything is hyper-connected. And in a business context, from one device, you can elaborate your position in the network from an attacker perspective, and attack other devices. And that’s the risk that we’re trying to mitigate.

The open door

THQ:

So the fundamental point of XIoT devices – their connectivity – coupled with manufacturers’ misconfiguration and owner indolence about ensuring they’re properly protects – is like a relatively unlocked door, through which attackers can wreak havoc?

SB:

Exactly. Because think of it. How much time would a vendor invest to protect the toothbrush? Not very much. And I would assume they wouldn’t test it for vulnerabilities either. So let’s say that the toothbrush is not secured. And it’s WiFi connected. And somehow the attacker was able to hack the toothbrush. Then eventually, they could pivot from the toothbrush to other devices. And this entry point, this low hanging fruit for the attacker, is what they need in order to exploit other devices. That’s the real danger.

THQ:

We’ll never look at our smart toothbrushes in quite the same light again…

 

In Part 2 of this article, we’ll find out what asset-owners, from people with toothbrushes to companies with warehouses full of IoT sensors, can do to mitigate the rising tide of IoT-specific security threats.