Fishing for trouble in a smart fish tank
Dr Mike Lloyd, CTO at RedSeal, looks at why the network is the new battlefront in the war on IoT threats.
The Internet of Things (IoT) is already deeply embedded into modern society. It dispenses life-saving medicines, keeps planes in the sky, and ensures our utilities are always available. It plays our favourite TV shows on demand, keeps us fit and healthy, and makes us more productive in the workplace. There’s just one problem: it’s riddled with cybersecurity vulnerabilities capable of causing data breaches and costly service outages. Despite evidence suggesting customers are increasingly willing to pay for more secure kit, IoT makers continue to prioritise time to market. So what can IT leaders do to mitigate these growing risks?
It all boils down to network resilience. Gain a better understanding of how your network works and where key vulnerabilities lie, and you’ll be able to implement effective segmentation to reap all the benefits of IoT without succumbing to data loss or damaging outages.
Fishing for trouble
An interesting cyber-attack publicised recently highlights perfectly the challenges facing organisations today. Even if IT teams vet IoT systems installed in key production environments, there may be other, innocuous-seeming connected devices which haven’t been properly secured. That’s what happened to a North American casino recently when it suffered a cyber-attack launched after hackers exploited a vulnerability in a connected fish tank.
Yes, that’s right. A ‘smart’ fish tank. It might sound ridiculous but it actually makes a lot of sense. After all, why would you pay through to nose to have maintenance engineers come round to service and clean your expensive fish tank if you can use the power of IoT to remotely adjust temperature, airflow etc. to ensure it operates at maximum efficiency?
However, hackers are well aware that these devices need to be internet-connected to work. They also often contain few built-in security controls out of the factory and may be poorly configured, making them attractive targets. Suddenly your IoT device becomes an insecure endpoint which attackers could use as a beachhead into your corporate network.
This is what happened in the case of the casino. It’s a classic “leapfrog” or “steppingstone” approach in which the bad guys compromise machine A – in this case the IoT device – and use this as a toe-hold to move out into the network to attack machine B, which was previously hidden from them. It’s stealthy, dangerous and can be a highly effective strategy – hackers can launch attacks from anywhere in the world knowing they’ll be able to hide under the anonymising blanket of the Internet to evade prosecution. Once inside the network attackers could pivot to customer databases, online stores of highly sensitive IP and more. By the time the casino had discovered what happened, malware was already sending stolen data to a server in Finland.
It doesn’t have to be a smart fish tank, of course. It could just as easily be a connected kettle in your office kitchen, or perhaps a smart CCTV camera. In fact, a recently discovered software flaw in a widely used third-party toolkit called gSOAP (Simple Object Access Protocol) could mean tens of millions of IoT devices are vulnerable to remote attack, including some of the world’s most popular connected security cameras. It means hackers could in theory remotely monitor an office, bide their time and then switch off the cameras while their colleagues rob the place.
A network full of threats
So, what are IoT device manufacturers doing to improve security in their products? While some enterprise-grade kit may ship with extra protections, it’s certainly not the case across the board. The problem is a common one: extra security simply costs too much and takes too long to implement on mass-produced products like these Internet-connected “things”. They’re produced as cheaply and rapidly as possible; the focus for manufacturers is on getting their gadgets out to market before a competitor drives them out of business by getting there first.
Can we expect politicians and litigators to help? Despite the introduction of new legislation in the US designed to improve baseline IoT security standards for government device makers, it could take years to filter best practices through to the market. Plus, this is just the United States: IoT security is a global challenge. How about the courts? Unfortunately, liability lawsuits are also confined to specific countries, limiting their impact.
In fact, as we’ve seen with gSOAP, even manufacturers who take security seriously may find vulnerabilities creeping into their products: it’s inevitable. The problems are compounded by the sheer number of products being released into the market, many of which reuse potentially vulnerable software components to further cut time and costs.
Once a critical vulnerability has been discovered, the challenge then is to fix it. Recalling a million smart security cameras is simply infeasible. How about an over-the-air update? It might be possible for your iPhone or Android device, but this is an expensive and highly complex process which Google, Apple and others make appear far easier and more seamless than it actually is. We just can’t expect small-scale IoT manufacturers to have the same capabilities. In fact, hackers could theoretically hijack the software update mechanism itself to cause even more chaos.
All of which leads us to the unsavoury conclusion that corporate networks are increasingly populated with insecure, buggy devices that are unlikely ever to be fixed and yet offer remote attackers a clear avenue through which to target our most sensitive data.
Fortunately, there is a solution. These devices are a threat precisely because they are networked, so to mitigate the threat, we should use the network. We need to better understand our networks and make them more resilient and transparent. Your end goal here should be segmentation – ensuring critical parts of your network where, for example, customer data may be kept, are separate from non-critical parts hosting smart fish tanks and other potentially insecure IoT kit.
Tools exist today which can map the network down to the last detail, working out all access paths from everywhere to everywhere else. The best ones can go into granular levels of detail to help you understand whether each individual network element is properly hardened; if all network elements together produce a network with good segmentation; and if an attacker does strike, what they’ll be able to break into and how you can stop them.
As more and more businesses plug in to the Internet of Things, this is will have to be a major and ongoing focus area for IT teams.