IoT – Putting our Business Networks and Security at Risk

 

IoT – Putting our Networks and Security at Risk

Just take a look at any website or catalog, and you will see the availability of hundreds to thousands of connected devices touted to make your life simpler. However, what most don’t consider is how easy it is to hack these devices.

It’s time to integrate security into IoT design.

With the rush to market, both privacy and security are often a distant afterthought, with many failing to invest in appropriate security. That has left this entire industry vulnerable to abuse. Even after discovering these security holes, we don’t learn of the aftereffects for years. Why? Because they often do not get updates, some are not even incapable of being updated at all. It creates both new attack vectors and exceptional new surveillance opportunities for hackers and state actors.

IoT devices are mostly unknown “black boxes” filled with proprietary software.

In their bid to get a product to market first they rely on pieces of software code, some available for years, being stitched together with additional proprietary code to create large sections of the control system that these products use. 

IoT, as a general rule, is designed for usability and functionality, and many IoT products do not implement a security-first mindset.  

I often find myself asking, what were they thinking? It seems that they were more interested in getting to market than getting it right. Security was never foremost in their minds.

Increased vulnerabilities are present because proprietary software means that we don’t know how or if they are implementing security.

Hackers love to exploit the vulnerabilities found in these code “snippets” used by the IoT designers. Using the vulnerabilities, they launch their attacks on the networks that these IoT devices are connected — discharging their malicious attacks, which may include Malware distribution, Click Fraud, Phishing attacks, Account takeovers, Distributed Denial of Service Attacks (DDoS).

Unfortunately, many users will not ever even be aware that little internet connect device is being exploited using UPnP proxy attacks. Even if they did know, it is unlikely they could do anything to defend against it except disconnect it and toss it away. 

Many of these attackers rely on vulnerabilities present in a set of network protocols known as Universal Plug and Play (UPnP). These protocols were designed to make it easier for private networks to connect and authorize network services quickly. This protocol was designed not to need the advanced network functionality required for enterprise-class devices.

One of the ways that attackers use this protocol is by establishing multi-purpose proxy botnets which are elaborate sets of “proxies” that camouflage their activities.

The big problem now is that line managers are purchasing these types of IoT devices in their departments without understanding the implications of connecting them to a corporate network. Many even fail to change the default password. Additionally, they do it unbeknownst or without the permission of the IT department. Once plugged in these devices using the UPnP protocols easily find and connect automatically configuring themselves with the authenticated network configuration they require. Now joined they have unrestricted access to your network and all data that passes through it. You have just hooked up a data fire hose to the criminal attacker who gets into those IoT devices.

Your network is now open for data theft and as a launchpad for malicious attacks against others. 

Russia China & North Korea they all want in.

Just check out the news.

Moreover, we also have to worry about Chinese Manufacturing Practices.

We are learning just how much input the Chinese government and its military have over Chinese manufacturers.

Currently, there are over two million vulnerable IoT devices around the globe that came bundled with a peer-to-peer (P2P) communications technology called iLnkP2p, which allows no authentication or encryption and can be easily enumerated. It means that any potential attackers can establish a direct connection to these devices while completely bypassing any firewall restrictions you have in place.

It is time that we get control of all these IoT devices, and if you are using them in your business, you need to make sure that all security patches to the software are applied, and removed if patching is not possible. You might be able to disable the UPnP protocols, but because they are often so tightly integrated, it may result in loss of some functionality.