How To Avoid The Security Pitfalls Of The Internet Of Things

IoT Security

The recent headlines about images from baby monitors, CCTV and webcams being posted on a Russian website highlights the security issues with a connected world. There was never any doubt that the Internet of Things (IoT) would complicate the security landscape at home, at business and on your daily commute. But what is clear from this latest hack is that there is a technology component to IoT security that is not being addressed.

It’s called the small business or home network (SOHO). It’s flat and everything with a default gateway to a router is either reaching out to the Internet or potentially accessible over the Internet. That has to stop. Putting anything “directly” on the Internet is a bad idea. There is no reason a baby monitor needs to be internet-accessible to everyone, criminals or otherwise.

The chief security concern comes from the embedded web servers on these different devices that have weak or default passwords. Many devices don’t prompt the user to enter a unique password when they are switched on, so most end up on SOHO networks, straight from the box, offering cybercriminals the opportunity to access the entire network.

There are many devices that are fully connected to the Internet, but actually only need limited access. For example, if a house contains a smart meter that needs to ‘talk’ to the power company, it only needs to have access to that specific IP address. It should not be on the same network as a home entertainment system, heating, air conditioning or temperature control – or worse still, a small business’ network. Put simply: a vulnerability in a digital video recorder should not end up compromising an iPad used in the same building.

At the risk of labouring the point, one of the most-used security sayings is “Security is only as good as the weakest link”. As more devices with poor default configurations are added into networks, the vulnerabilities multiply. Many wireless devices have simple-to-guess passwords that give administrative access.

Take for instance a cybercrime module called Win32/RBrute. It looks for default passwords on routers and access points and if it successfully logs into a router, it changes the default DNS (Domain Name System) settings. Cybercriminals may use this for “click fraud” or to link the network to more malware infected websites.

In the last four months, there has been a constant assault on new devices on the network. Recent attacks on webcams and CCTV, as well as Heart Bleed (a security bug that allows the theft of credentials from a chunk of memory) and Shell Shock (a family of security bugs that were widely exploited to give cybercriminals root access to networks), have forced manufactures to rush patches for hundreds of thousands of devices.

Many users believe that since their device is behind a firewall and the device is not exposed to the Internet, they have nothing to worry about. But nothing could be further from the truth. Advanced malware can and will seek out exploitable devices inside the network and find a way to communicate to cybercriminals once it has infected a device. Not to mention applications and Universal Plug and Play (UPnP) can bypass Firewalls all together.

With a large number of devices expected to join SOHO networks as IoT grows, users and IT admins need to prepare for the cybercriminals who are ready and waiting with malware custom-designed to exploit any network’s weakness.

Ian Trump (unscaled)

Ian Trump is Security Lead at LogicNow. Ian helps to guide and advise the MSP community on security and technical challenges. Ian is also CD, CPM, BA is an ITIL certified information technology (IT) consultant with 17 years of experience in IT security and information technology. Ian maintains a strong commitment to the security community. He is a board member of the Canadian Cyber Defense Challenge and IC2, as well as an editorial review board member for the EDP Audit, Control, and Security newsletter. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch. In 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.