IoT unlocks the door to hackers

The Internet of Things is a buzz phrase we hear used regularly but it is one which is prone to misconception and misunderstanding.

Connecting devices, such as a kettle or light bulbs, over the internet and allowing them to communicate with each other and ourselves is the essence of the IoT. Smart fridges will order your shopping when supplies run low. A smart heating system can be activated from wherever you might be. It sounds simple enough but of course the reality is more complicated than that – particularly as these devices become more ubiquitous and even more so in the context of smart cities, smart traffic systems or smart manufacturing.

Smart might be the word used to preface many IoT applications – but just how clever is the technology and what are its real capabilities?

A taste of what businesses can expect came in October 2016 when thousands of internet-enabled devices were “hijacked” by hackers and used to launch a massive attack which blocked user access to major websites such as CNN and the Wall Street Journal.

The hackers took control of the devices after infecting them with malicious code to turn them into botnets which then fronted a distributed denial of service (DDoS) attack.

The sophistication of the strike took many observers by surprise but experts say they have been warning about such a possibility for years.

“To those in cyber security, this was already well known,” says Massimo Cotrozzi, director of cyber security at Deloitte.

The IoT-based DDoS attack was undoubtedly a wakeup call regarding the vulnerability of these devices but Cotrozzi says some companies are “still in denial” as they try to figure out how to address the problem.

While board understanding around cyber issues has improved considerably in the last few years, Cotrozzi believes there is still more to do.

“Cyber has the attention of the board,” he says. “But currently, only a few boards are taking action to build cyber resilience.”

To emphasise his point, Cotrozzi says IoT vulnerability has to be examined in light of how businesses have dealt with their cyber exposures historically. Prevention is not always possible so the way in which a breach is handled is crucial.

“Companies have invested a lot of money in trying to fix the perimeter – effectively trying to stop people getting in,” Cotrozzi says.

“Now most people understand that you cannot really block a determined hacker from getting through some of the defence layers. What you can do is monitor attackers when they get in, understand how they operate and intercept them before any damage is done.

“Some organisations are now trying to prevent hackers from getting in by moving the target.

“An attack has several phases. Rather than try and block activity, you need to go back to the chain, try to find other indicators you might have missed and understand tactics, techniques and procedures. This should help profile who might be behind the attack and influence how you might prevent them taking further steps.”

No upgrade functions
So how does this work in the context of IoT exposure?

Many IoT devices still do not have upgrade functions. This means that if a vulnerability is found, you cannot fix it.

Worse, the exposure needs no interaction.

“Having a vulnerable IoT device connected via your wireless is almost like having a plug to your network in the street,” says Cotrozzi. “You cannot know who connects to that.”

When expressed in such stark terms the implications are obvious but still not enough companies consider the risk in this way. Nor do they realise or examine the effects of other external factors.

The involvement of third parties raises the level of risk further for businesses which could also become unwitting victims.

One company was reported to have suffered a cyber breach because of a new IoT heating system fitted by the management of its office.

The office management connected the heating system via the internet so they could manage it remotely but to save on equipment costs they used the tenant company’s router to connect to the internet.

The IoT heating was connected to the back-end system and an attacker breached into the management company, routed through that to the back-end systems and hacked the tenant business.

Such methods of attack, combined with DDoS “botnet” hijackings imply that breaches using the IoT are complex and require serious planning.

In fact it is easier than taking over a standard computer because all too often users do not consider them to be computers and so do not take adequate precautions. Awareness, understanding and also an inability to upgrade security are clear concerns which need to be addressed.

Martin Borrett, chief technology officer at IBM Security Europe, says “fundamental problems” exist around IoT.

“Some of the devices used cannot change the default password they are just hard coded into the device.”

So how can firms better protect themselves against IoT weaknesses?

“Fundamentally everyone needs to take a secure by design approach,” says Borrett.

“The manufacturers of those pieces of equipment need to think about security from the outset. It is something they need to bake into the DNA of whatever it is they are doing.

“That said you still have to live with what you have got so you cannot think about replacing every CCTV camera everywhere just because it is not sufficiently secured. You also need some sort of security visibility layer that tells you when suspicious things are happening – that is the mitigation strategy. Ideally you code it securely, you change the default passwords, you conduct penetration testing – you do all these well-known procedures but there will always be some gap and then you need that mitigation strategy.

“With the Internet of Things there has perhaps been a failure to appreciate the interconnectedness of devices in other ways. It is going to open up vulnerabilities.”

Ransomware
Risk exposures for connected cars have become a particularly hot topic since a well-publicised hack on a Jeep by security researchers who used the vehicle’s internet-enabled entertainment system to take control.

“It has been fascinating how everyone has been playing catch up since the Jeep attack,” says Borrett. “There has been a lot of rhetoric prior to that that you could not control a car remotely without physical access to it and that clearly was not the case in this instance.

“It is fascinating when you look at how complex cars have become – they are like small data centres on wheels with several networks and different levels of connectivity. Yet if you contrast it with a real data centre and it has physical security around the perimeter, you have to have badge access to get in, you have firewalls, intrusion detection systems – none of that is present in a car yet you have almost the same computing environment.

“You need these protection systems and we are starting to see manufacturers build them in now to mitigate different vulnerabilities.

“If you look at reports of these incidents currently they are generally by researchers but it is not so hard to imagine ransomware for example being deployed against cars. What about going to your car in the morning and not being able to get into it to go to work unless you pay a ransom?”

The implications of that for companies with fleets of vehicles bears serious consideration.

The fact that IoT devices in domestic use are particularly at risk raises another issue for businesses as so many employees now operate remotely.

“We talk a lot about bringing your own device but not about what happens when you bring your office home,” Cotrozzi says.

“When you take the device home it is not protected in the same way as when you’re in your office. You don’t have a firewall or security monitoring or many of the systems you have as standard at organisations. That leaves you with less protection.”

To counter this, Deloitte has developed specific home-based security units for people who need to work away from the office where they have their own kit – but protection is only as effective as the people who use it. So education continues to have an important role.

“We have a Cyber Transformation Unit,” says Cotrozzi, “which helps organisations understand their threat landscape, vulnerabilities and how an attacker might see them. We demonstrate how it works and help them ensure that all their business processes have the proper security in place.

“Managed the right way, security not only has a positive impact on the safety and security of the whole organisation, it can also streamline operations. We are helping clients understand how they can do this securely.”