According to Statista, the number of IoT devices is constantly growing. There are about 10 billion connected IoT devices in the world now. Roughly 90% of them are unmanageable and unprotected, meaning there is no centralized management platform, no centralized monitoring of events, settings are manually configured, etc.
In the current pandemic conditions, with a large number of users working from their home offices, the issue arises of managing information security risks associated with home IoT devices. Printers, Smart TVs, file storage, video surveillance cameras and other equipment are often connected to the same home network as the devices from which corporate data is accessed. Compromised devices may lead to a data breach. People who install and use all these smart devices at home often have minimal knowledge in the field of information security.
I want to touch upon the information security problems associated with IoT devices, as well as some approaches to solving these problems.
What does the corporate IoT consist of?
Unmanaged devices and IoT devices are systems controlled by an operating system, no matter how simple it may be. They can communicate with other devices and systems in the organization and process and transmit information but are not controlled by traditional security tools.
The number of such devices is growing in many modern offices. Such devices may include smart air conditioning, smart lamps, smart loudspeakers, as well as connected printers, computers, video surveillance systems, etc.
Many of these devices were previously quite simple and lacked network functionality. But now, they are constantly evolving, becoming more complex, and becoming exposed to vulnerabilities that pose a real danger if motivated cybercriminals use them.
IoT devices can be classified into the following categories:
- Office building automation systems
- Consumer devices
- Industrial control systems
- IT infrastructure
Known IoT risks
According to the OWASP study, the most important risks associated with IoT devices are as follows:
- Weak, guessable, or hardcoded passwords.
- Unneeded or insecure network services running on the device itself.
- Insecure web, backend API, cloud or mobile interfaces in the ecosystem outside of the device.
- Lack of ability to securely update the device.
- Use of deprecated or insecure software components/libraries that could allow the device to be compromised.
- Insufficient privacy protection. User’s personal information is stored on the device or in the ecosystem that is used insecurely.
- Insecure data transfer and storage. Lack of encryption or access control.
- Lack of device management, including asset management, update management, secure decommissioning, systems monitoring, etc.
- Insecure default settings.
- Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack.
Several attacks using IoT devices have become widely known, such as:
- DDoS attack on Krebsonsecurity
- DDoS attack on Dyn
Unprotected IoT devices increase losses from security incidents
In the event of an incident related to IoT infrastructure, the reputational and financial losses of the organization increase.
Based on the risks provided by OWASP, it becomes clear that information security services of companies should prioritize the implementation of security control over IoT devices. Security measures should be taken when:
- There are long-known critical vulnerabilities that cannot be fixed without a device manufacturer.
- There is no logging, or it is poorly organized.
- Encryption and integrity control are present, but only at a basic level.
- IT staff responsible for maintaining systems are not aware of the security issues of IoT devices.
- Employees responsible for information security are not aware of the entire IoT infrastructure of the company.
Methods to increase the security
The solution to the problem cannot be simple. It requires changes to the IT and information security strategies, modification of the organization's existing business processes, technology platforms, interactions with suppliers, etc.
To address remote workers with unsecured IoT: devices
- Consider setting up a separate wireless network with a service set identifier (SSID) for your consumer devices or for the tech-savvy end users, segment your home network with virtual local area networks (VLANs).
- Implement end point detection & response (EDR) which brings greater monitoring and visibility from network to the cloud. EDR is designed to operate outside the corporate network, preventing malware and enable threat hunting.
- Install one of multiple of the following monitoring solutions
- Mobile device management (MDM)
- Identity and access management (IAM
- Zero trust network access (ZTNA)
To address corporate-owned IoT on the network:
- The company must have specialists who know the technical features of IoT devices, have experience working with them, understand the role of IoT infrastructure in the organization, know and apply the basic methods of its protection.
- The planning of IT and information security processes, configuration, and security standards should take into account the presence and characteristics of IoT devices, their architecture, life cycle and subtleties of operation as well as risk and threat models of the IoT landscape.
- Leverage managed service providers (MSPs) who are offering IoT as a service. In the 2020 CompTIA survey found that 53% of MSPs already provide some form of IoT service.
- Invest in security Operations Center as a service (SOCaaS) which are services that manage and monitor logs, devices, clouds, network and assets for internal security and IT teams.
Solving IoT security risks with the help of stocktaking using specialized platforms
Here are several factors that are important from the point of view of information security when stocktaking/inventorying IoT devices:
- Basic properties of the object - what kind of device it is, what it is used for, with which systems it is connected
- Known vulnerabilities
Stocktaking of devices connected to a network can be performed by an IT asset management system and a vulnerability scanner. But in our issue, typical scanners are not suitable for inventorying and assessing vulnerabilities since the list of IoT vulnerabilities in their database is usually limited. In addition, some devices may be too simple, and the scanner will not be able to interact with them, or it will be impossible to install the agents due to hardware and software limitations.
The way out in this situation is passive stocktaking based on the analysis of the activities of IoT devices by a sensor. Classic analyzers of traffic and network flows are not suitable for this. Here a specialized tool is required that can detect IoT devices and classify them.
Passive stocktaking greatly simplifies the process by reducing the number of steps needed and their labor intensity while increasing accuracy.
Using traffic analyses, you can determine:
- Device type
- Device model
- Whether it is manageable or not
- Whether it is vulnerable - based on fingerprints, model, and firmware of the device (already determined)
- Where it is located - by sensor location, signal
- Unused devices
- Migration of devices between offices
- Devices that are incorrectly installed
This data covers the basic needs for information about IoT devices from the point of view of information security.
The sensor transmits data for analysis to the control server, which contains and manages a database of devices.
Based on the collected data, the devices are classified. If a vulnerability or suspicious activity is detected (for example, connection to a botnet C&C), information about a potential incident is sent to the security operation center. Network and behavioral parameters are constantly monitored based on the risk and threat model.
By integrating the inventory system with the configuration management database (CMDB) and getting accurate information about the infected device, the security department can respond quickly and minimize losses from an incident.
A carefully implemented stocktaking allows you to assess risks and threats better. A deep understanding of the IoT infrastructure helps to quickly detect new information security threats. It can also help to determine that some already existing threats are coming from IoT devices.
About the author:
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.