The Internet of Things (IoT) is everywhere. For most, the utility of having Internet-connected, fully-capable computing baked into everyday objects is a great leap forward in technological capability—surveillance cameras that alert our cellphones when they see something suspicious, thermostats that check tomorrow’s weather report, and ovens that can look up recipes. All very practical. However, for many IT security professionals IoT has become an invisible, pervasive threat, lurking like mosquitos in the bogs of our organizations.
OWASP IoT Top Ten
In several weeks, the Open Web Application Security Project (OWASP) will release an update to the OWASP IoT Top 10 20181 that will likely include the following security issues:
- Weak, guessable passwords
- Insecure protocols
- Insecure access interfaces
- Insecure components
- Lack of secure update mechanisms
- Insufficient privacy
- Insecure data transfer
- Lack of physical hardening
- Insufficient security configuration
- Lack of device management
None of these security problems are unexpected for anyone who’s looked at IoT security (or the lack thereof). But what level of danger does this present for organizations?
The Advancing Threat of IoT
Back in January 2017, F5 Labs talked about how IoT threats were about to grow beyond denial-of-service and move into other areas of cybercrime. Just like any other area of technological adoption, we’ve seen IoT hacking move from an explorer phase (where grey hat hackers dabble with pranks), to a pioneer phase (with new criminal business models being explored, such as DDoS thingbots). Now we are entering a period of full commercial exploitation with massive thingbot networks, cryptocurrency mining,2 and wholesale invasions of privacy.3 Indeed, F5 Labs researchers have uncovered and documented how IoT represents an existential threats to our modern way of life.
Caging the Threat
What can IT and cyber-security professionals do about this? Jared Reimer, the founder and CTO of Cascadeo, asks, “Does any IT department or CISO really know about the myriad IoT stuff already going on within their companies? Of course, the IoT is a back door into otherwise-secure networks and supporting infrastructure, but what else?”
Indeed, IoT devices run stripped-down operating systems (usually Linux) which are far from the standard enterprise-manageable computers racked in secure facilities attached to managed networks. IoT is designed to be plug-and-play and live anywhere using all kinds of connectivity—including network cables, Wi-Fi, and even cellular gateways. This represents the first challenge for IT: locating and classifying the IoT devices within the organization.
Does any IT department or CISO really know about the myriad IoT stuff already going on within their companies?
Step 1: Communicate a Policy of IoT Custodianship
The first step in attacking this problem is to set and communicate a policy of ownership for IoT devices across the enterprise. This is not as straightforward as one who would think. There are a lot of devices and tools that traditionally fall outside the purview of IT that now have IoT capability. For example, F5 Labs discovered vulnerable IoT gateways as part of emergency responder vehicle fleets. The responsibility for management and lockdown for these devices may have fallen to auto mechanics or even the drivers themselves. It is because IoT is invisibly embedded in what was once non-Internet connected “things” such as vehicles, doors, pumps, and HVAC systems that it escapes notice. There needs to a clear policy with associated training for the entire organization: before anyone purchases, uses, or connects any device with a computer in it, IT must be consulted. The training should stress the reason why: inattention to IoT security could lead to severe cyber-security incidents at your company or others. Provide examples, such as how IoT coffee pots can be co-opted into a thingbots or how police cars can be tracked by anonymous attackers via IoT privacy leakage.
Step 2: Define Acceptable IoT
Second, the security team needs to provide a secure and practical standard for IoT usage within the organization. The OWASP IoT Top 10 is a good guide of what you don’t want to have running in your organization. Kip Boyle, CEO of Cyber Risk Opportunities, suggests, “IoT requirements should include capabilities for secure configuration and centralized management from makers that release regular security updates.” Kip also notes that “you should be cheerfully prepared to spend more to get the IoT security you deserve.”