ForeScout recently released an IoT Enterprise Risk Report based on research from ethical hacker Samy Kamkar. Based on Kamkar’s findings, the report on IoT security issues could readily be renamed something like, “IoT: the bane of the enterprise environment,” or “IoT brings new meaning to the term ‘Enterprise Risk’.”
The report discusses a significant number of negative findings concerning IoT devices used commercially, such as HVAC sensors and remote management, IP cameras, Wi-Fi printers, smart lighting, and even smart video conferencing.
Adoption of these devices, and others, is accelerating both commercial and residential use. The report findings align well with issues pointed out in earlier blogs on locating IoT and lessons learned from IoT. They are being deployed for cost cutting and convenience at the cost of both corporate and personal privacy and security.
Kamkar discovered that IP cameras can be used not only as a beachhead and for extending incursion into the enterprise, but also for surveillance, like in the movie “Eagle Eye” or the TV show “Person of Interest.” These actions are not just a possibility. Recently, a person I know had their home IP camera compromised. They found that not only did the camera register use from the video, but the microphone was activated, creating a very disconcerting situation for their family. Take that to a corporate level and you have something even scarier because of the scope of affect it can have across many individuals. Recently, Forbes published an article about a security system being hacked, giving the authorized white hat hacker access to all internal control systems. If non-malicious people can get access, it is certain that anyone motivated for nefarious means are also out there trying, as is evidenced by my friends’ home camera.
Aside from the privacy and business losses from the compromise of IoT devices, the fact that they can also be used as bots for DDoS attacks is another pain point, which should motivate anyone operating or considering adopting these devices to ask questions before allowing them on their home or corporate networks.
Kamkar has some great insights about dealing with Iot security issues, so I suggest you read the report. I am also going to add a few other thoughts on increasing security of IoT. These are some questions I would ask when considering or discovering IoT-enabled devices in the environment:
- Ask any vendors if their services are remotely managed and if they have any documentation or third-party certifications on the internal security of those systems to protect them from attack or abuse.
- Test all devices for default credentials for web access and other management interfaces.
- Ensure that any IoT systems connected to your environment are accounted for in the corporate security policy and properly gated/protected by security technology firewalls, IDS/IPS, NAC, etc. to reduce the possibility of being exploited.
- Create special monitoring for devices in this category, especially those that are used for security or environmental management, to ensure you know their status.
Remember, the more visibility you have into IoT devices connecting to your network, the better you can protect your environment.