Within the last decade, we have witnessed an explosion in connected devices and IoT technologies ranging from smart homes to drones and even autonomous bots. As device manufacturers, application developers and service providers strive to make everything smarter and more connected, cybercriminals and hackers are taking full advantage of the new opportunities.  A huge array of IoT devices open numerous entry points into enterprise networks and make businesses even more vulnerable to cybersecurity breaches.

According to a Gartner report, there will be over 20 billion IoT devices by 2020, as enterprises rapidly adopt connected devices for better process control and to improve their bottom and top line growth. Billions of connected devices will revolutionize how data is processed and consumed, but the associated security risks for businesses should not be underestimated.

Imagine a SMART bulb or HVAC unit in a secure network operation center beaconing its own radio protocol. Connected devices, like these, provide a stepping stone for an attacker, sitting in the parking lot or building, that may allow access to an otherwise secure environment. Because traditional security controls and network security devices are not designed to detect and mitigate these types of threats, IoT devices pose a serious risk to enterprise infrastructure if they aren’t properly managed.

IoT Device Security Vulnerabilities
Many IoT devices lack inherent security controls, which make them attractive targets for the following exploitations:

• Passwords: Most IoT devices have default passwords baked into firmware that provide attackers with direct access to device.  The remaining devices are typically protected by weak passwords that make them easy targets for brute force attacks.
• Protocols: IoT devices use a wide variety of protocols for local and remote server communications.  Any insecure implementation of protocols allow attackers to eavesdrop on messages. For example, MQTT (Message Queuing Telemetry Transport) is a popular publisher/subscriber protocol, used as a broker service to exchange messages between clients. An insecure broker will allow attackers to compromise the IoT network managed by the service.
• Interfaces: Some IoT devices use a restful API interface that allows the sensor to upload information over the Internet. Any insecure implementation allows an attacker to potentially access private information. The Google (News - Alert) NEST thermostat weather update service that leaked the home location of users is a prime example of an insecure restful API interface implementation that attackers would be able to use to their advantage. Almost all IoT devices provide an interface that can be used to manage it from the cloud, web or a mobile device.  If the interface is vulnerable, attackers can leak sensitive information, do account enumeration and mount injection attacks, which may provide the attacker complete control of device. 

Common IoT Attacks
Our ShieldX Labs team has performed detailed analysis of IoT device threats and vulnerabilities. The following list outlines the most common attacks we’ve seen on IoT devices.

• Privilege escalation: Attackers are exploiting IoT device bugs, design flaws and operating system or software application configuration oversights to gain elevated access to resources that are normally protected from an application or user.
• Eavesdropping: If a weakened connection between an IoT device and server is found, an attacker may be able send network traffic to itself. Using this method, attackers are stealing the sensitive information that IoT devices transmit over enterprise networks.
• Brute force password attacks: Due to the weakness of most  IoT device passwords, brute-force attacks can be effectively used to gain access to the device.
• Malicious node injection: Using this method, attackers physically deploy malicious nodes between legitimate nodes in an IoT network. The malicious nodes can then be used to control operations and the data flowing between linked nodes.
• Firmware hijacking: If firmware updates downloaded by an IoT device are not checked to make sure they originate from a legitimate source, it is possible for an attacker to hijack the device and download their own malicious software.
• DoS: Hackers are increasingly turning to denial-of-service (DoS) attacks to take companies offline or steal their sensitive data. It has been reported that DDoS attacks increased 91% in 2017 thanks to IoT.
• Physical tampering: Physical threats exist if devices are deployed in environments where it is difficult for the enterprise to control the device's location and the people who can access it.

As the explosive expansion of IoT continues, we expect to see even more sophisticated attacks.  Attackers will begin to use compromised IoT devices to move laterally inside a network, bypass enterprise security controls and use IoT devices as a pivot to move deeper inside the network.  Additionally, IoT devices will be used as a possible exfiltration route that will allow attackers to send sensitive information to themselves.

The Challenge of IoT Threat Mitigation
All of the IoT attacks listed in the section above are difficult to detect because there are no security mechanisms at the IoT endpoint and the attacker can remain transparent within a traditional enterprise security framework.

Mitigating IoT threats typically requires that the enterprise upgrade firmware or manage components. Both of these tasks can take a substantial amount of time.  When devices are connected to the enterprise network, this time lapse provides a window of opportunity for an attacker to quickly mount a successful attack.

Attackers commonly scan for vulnerable connected devices. Once found, they propagate an attack, like a worm, to compromise a large number of devices in a short amount of time. For example, Mirai Botnet has been used to compromise millions of IoT devices. Additionally, Mirai has been used to launch DoS attacks on cloud and network infrastructure. The DYN managed DNS service infrastructure was attacked by Mirai controlled IoT devices and ended up generating an estimated 1.2 Tbsp of traffic. 

Mirai Attack Example
The ShieldX Labs team recently worked with a leading ISP, who was attacked by a variant of Mirai. The attack exploited a command injection vulnerability in the TR-069 protocol on port 7547. Since this port was open and accessible from the Internet, it enabled an outside attacker to mount a large-scale infection attack, rendering thousands of devices in unworkable condition. During the course of our investigation, we discovered another wave of Mirai attack targeting routers that were using a default username and password combination.

These impacted devices were used as part of a DDoS campaign that targeted the ISP network infrastructure. The large-scale DoS originating from these devices within the network effectively choked the links and reduced the quality of service to its consumers, thus impacting business and consumer confidence in the ISP.

The above example clearly demonstrates the problem with default device configuration and weak passwords.  As many devices offer out-of-box connectivity, most users remain blissfully unaware of the inherent security risks—making them attractive target for attackers.  This is forcing many ISPs to rethink their overall security posture.

Readying Cloud Security for IoT
As many enterprises are moving towards multi-cloud architecture, workloads are segmented and policy-based controls are applied on the connections between various workloads.  However, these basic cloud security controls are too easy for an attacker to defeat in the age of IoT. Once the attacker penetrates the cloud, he can simply blend with the allowed traffic to move laterally from a compromised IoT device to a more attractive target.

To prevent an attacker from moving deep inside the network and blending in with legitimate traffic, enterprises need solutions that allow them to evaluate all the data points from the application exploitation to lateral movement, deploying backdoor and exfiltration of data.  Some of these events may happen over a span of days if the attacker is trying to evade enterprise defenses. Therefore, it is essential to employ solutions that are able to track the complete kill chain and stop an attack before it can cause significant damage to assets.

Protecting against IoT threats in cloud environments requires that we rethink how security controls are applied and enforced. To protect against known and evolving IoT threats, enterprises must have contextual visibility that allows them to monitor different segments and apply policy at a various boundaries as needed to block lateral movements. Automation can be used to continuously discover new applications running or new devices connecting to the network and then apply the appropriate static and dynamic security controls. 

Using a microservice-based architecture for cloud security supports the flexibility necessary to discover IoT threats and apply security and policy controls in single, multi- or hybrid cloud datacenters. Further, it can be helpful to have a tool that can correlate, learn and provide centralized intelligence and policy-based controls through a single user interface. This leads to a consistent approach across multi-cloud and highly virtualized environments, simplifies the management of security and reduces the burden on already over-stretched IT teams.

Bottom line: Enterprise deployment of IoT devices introduces unique enterprise security requirements that are distinct from traditional end point and datacenter defenses. Without a way to limit the type and scope of security breaches, IoT can actually do more harm than good for enterprises. Adopting a comprehensive cloud security strategy will allow enterprises to reap the rewards of IoT without assuming the compounding risks.

About the author: Manuel Nedbal, Founder & CTO, ShieldX Networks, serves as the engineering and architectural lead for the development of the ShieldX platform, and as its overall technical visionary. In his spare time, he leads the engineering organization, trailblazing inventive new approaches to its structure and processes.

Edited by Ken Briodagh


Original Page