If you think your IoT devices are just connected to your own network, think again! IoT devices are usually connected to a network with internet access. And hackers can take control of the devices quite easily.
Consumer IoT (internet of things) devices are ‘smart’ devices which link up with your network for increased capabilities. Some IoT devices include smart lights, smart kitchen appliances, smartwatches, and smart cars. Such devices are becoming common in most households.
But there is a caveat to the increased convenience and functionality. IoT device manufacturers typically focus on customer facing features and time-to-market instead of security. The devices often have glaring security holes that are easy for attackers to infiltrate. This is a challenge for organizations as employees link these devices with office networks. Since home networks are also typically used for corporate work, these devices can be compromised to gain access to enterprise networks.
Some incidents come to mind. You might think that casinos are some of the most secure businesses in the world, but they can be hacked. A few years ago, a group of hackers managed to access a casino’s network via an internet-connected thermometer in an aquarium and extract its high-roller database with all sensitive details.
In 2016, hackers left the residents of two apartment buildings in Lappeenranta, Finland in freezing cold for nearly a week by launching a DDoS attack on their environmental control systems via thermostats. Because both the central heating and hot water systems were attacked, the environmental systems were rebooted in their attempt to fight off the attack and got stuck in an endless loop.
These are just a couple of examples. Over the last few years, IoT hacking incidents have been increasing. Identity and Access Management (IAM) can help.
What Vulnerabilities In IoT Devices Pose a Security Threat?
The vulnerabilities in IoT devices are numerous, which makes for a large surface on which attackers can gain a foothold. Of these, IAM can help with a few.
Poor authentication schemes. Hard-coded and cleartext passwords that are stored locally and transmitted over a network are easy for attackers to intercept and steal. Additionally, IoT devices often have simple default admin credentials which are never prompted for change, so accessing these devices is easy as cake. Attackers can leverage weak authentication schemes in consumer IoT devices to gain persistence, move laterally through a local network, and ultimately gain a foothold with which to move onto enterprise assets. This problem is compounded by the fact that changing passwords can be extremely time consuming in a home with many connected devices. This is evidenced by the thousands of internet-connected devices accessible via Shodan, the connected-device search engine, due to default credential use.5 Furthermore, many devices, such as the Belkin WeMo-enabled Crock-Pot, accept commands from the local network without authentication.6
Corresponding mobile apps are vulnerable to exploits. IoT devices have accompanying apps which are meant for controlling the settings and for issuing commands. Mobile apps are rarely made with security in mind and are also easy to compromise. Attackers can use these apps to gain access to corporate networks.
The firmware is vulnerable to exploits. The devices utilize real-time operating systems embedded in the hardware, which possess several vulnerabilities. Why these are fewer than those found within mobile devices and operating systems such as Windows, it is an additional attack surface from which bad actors can attempt to penetrate a corporate network.
They have hardware vulnerabilities. IoT devices have physical controls like hard-reset buttons and media expansion ports which are vulnerable to attack. While this requires the attacker to have physical access to the device, it nevertheless can’t be ignored as an attack surface. They can steal data from storage media, replace it with something that contains malicious executables, or directly perform command line injections.
They have communication vulnerabilities. This kind of vulnerability is very common in IoT devices. One study showed that 90% of all IoT device traffic is unencrypted, which can lead to man-in-the-middle (MITM) attacks where direct data or password theft can occur. Despite IoT devices being a new technology, they utilize Telnet remote control protocols which is a very popular vector for attackers.
Identity and Access Management Can Help
The IoT introduces the need to manage exponentially more identities than existing IAM systems are required to support. The security industry is seeing a paradigm shift whereby IAM is no longer solely concerned with managing people but also managing the hundreds of thousands of “things” that may be connected to a network. In many instances these things are connected intermittently and may be required to communicate with other things, mobile devices and the backend infrastructure. Some have begun to refer to this new identity ecosystem as the Identity of Things (IDoT). The IDoT refers to the relationships between devices and humans, devices and devices, devices and application/services or a human and an application/services.
Regarding MFA, it is not always feasible to use traditional MFA methods to support strong authentication of things. The Kantara Initiative and others have pointed to the need to research methods that provide context-based authentication as a new factor in an authentication process. Next-Generation authentication organizations like FIDO (USB-based hardware MFA) and CryptoPhoto (out-of-band smartphone MFA) o‑er strong authentication with inbuilt mutual authentication, both of which are suitable for IoT devices, even without screens/keyboards.
On the whole, IoT technology represents a quantum leap in adding a layer of ease and comfort to many activities and makes things possible that weren’t before. But IoT security leaves a lot to be desired. They are hot messes waiting to happen. Whether it be due to poor authentication schemes, vulnerabilities in the devices’ corresponding mobile apps, vulnerable firmware or hardware, or communication vulnerabilities, there’s many ways hackers can infiltrate the devices and reach corporate resources through them.
