One thing I regularly hear from CISOs is that they don’t have any IoT devices used in their business, that they are only for consumers and are therefore not a risk. This idea may come from a disconnect of how they define an IoT device versus an embedded device, or an uncommon operating system that can access the Internet or communicate using other means. Regardless of what you want to call it or designate it, there are billions of internet-connected devices – vulnerable devices – used in business networks worldwide. In fact, Armis is finding more and more of these unmanaged devices in corporate environments daily. The visibility gap between unmanaged and managed devices in corporate networks is rapidly expanding. As companies roll out more practical applications of IoT devices it will force more businesses to incorporate them to build efficient processes, data analytics and operational control. Additionally, with 5G on the horizon, this will allow for larger bandwidth, which will open the field for more volume of lower latency and more efficient devices to be more easily used within the enterprise space.
What Defines IoT
One of the most common IoT devices is likely in your hand or pocket right now – your smartphone. The very device you depend on to send or read sensitive work-related data, perform banking, and communicate personal and business information. Although many people don’t think about their smartphone as IoT, but any embedded, unique operating system, that can communicate over the Internet should be considered an IoT device. They are especially more risky if they are mobile and can easily move between network segments like a mobile device or tablet.
The vast majority of these are devices are invisible, unmonitored, unprotected, and vulnerable in corporate networks. They are also not patched easily, with hardware/firmware combinations that can go years without an update. Technology stacks, like the recently reported vulnerabilities in the URGENT/11 networking stacks are often used over and over again among the same vendors and can be more widely exploited if you find a particular vulnerability. IoT devices are largely unmanaged and un-agentable, with predictions that by 2021, 90 percent of the devices found in the workplace will be unmanaged, creating a very serious shadow IoT risk for the company’s networks and data.
Where the Threats Are Found
We tend to associate unmanaged risks with BYOD, but enterprise IoT is trending upward dramatically. But we don’t always remember that many of these devices we use regularly are connected to the internet and vulnerable to threats. Here are some of the most common Enterprise IoT devices and their threats.
Printers and VoIP Phones
Printers have been part of the corporate network environment for decades, but only recently have started to include newer features such as web-based portals, remote access and other wireless protocols that can be easily exploited. The modernization of printers technology stack, coupled with better memory and processor performance has turned the ordinary printer into a gateway to your network for hackers. This past summer, news broke that Russian hackers affiliated with the GRU exploited office printers, VoIP phones, and other enterprise IoT devices. The devices were discovered communicating with Russian command and control servers. These printers and other devices were either unpatched or used the default passwords, making them easy to access and maintain undetected persistence within the victim networks. While, nation-state actors were behind these recent hacks, it is only a matter of time until cybercriminals use these ordinary office devices to gain access into corporate networks and use them to pivot to more valuable targets.
Enterprise Network Equipment
Other devices we take for granted as not being particularly vulnerable are enterprise networking equipment such as routers, switches, firewalls and other specialized third party networking devices. These devices all work off unique embedded operating systems and are an increasingly popular attack vector for cyber threat actors. Hackers are finding several creative ways to exploit vulnerabilities in these devices, which can cause a denial of service, destruction and in some cases full remote access with elevated privileges. For example, a new variant of Gafgyt malware called Bashlite targets routers used in homes and small businesses, using known vulnerabilities to gain access. Hackers take control of the routers to turn them into botnets that are then used to launch DDoS attacks.
Nation-state hackers and cybercriminals will continue to target enterprise network equipment with zero-days and unpatched operating systems to gain a silent foothold into corporate networks.
The proliferation of smart medical devices are like millions of open doors into a health provider’s network. Nearly two-thirds of healthcare delivery organizations have more IoT devices connected to their network than they have computers, and most have already had security incidents surrounding those devices. Infusion and insulin pumps account for close to half of medical IoT, and they are enough of a threat that NIST released guidelines on how to secure the pumps. The Armis platform picked up vulnerabilities in the Becton Dickinson (BD) Alaris™ PC Units infusion pumps, which if exploited would cause the pump to crash.
Infusion and insulin pumps are not the only IoT risk in healthcare, of course. Connected cardiac devices have also been found to be susceptible to possible attacks, and even seemingly innocuous devices like a smart pen used on touch screens can be used as a gateway into the network or can be the source of a data breach. There are potentially many other vulnerable devices that exist in medical devices that have gone undiscovered. As the research community points more of its efforts towards healthcare, it’s only a matter of time before additional vulnerabilities are found.
Darkweb hackers have recently honed in on a new target – connected gas pumps. Gas pumps have long been a target for credit card theft via card skimmers, but now hackers are taking advantage of IoT pumps. This is a relatively new target, dovetailing on smart meter attacks. Hackers may be looking to lower prices remotely, but the attacks will likely be more nefarious, such as ransomware attacks or supply chain manipulation or extortion. It remains to be seen how these devices will be used now and into the future. We can fully expect other similar types of embedded devices to be compromised in the near future.
IoT has made its way to the factory and is now an integral part of manufacturing. However, the networked systems used in manufacturing are legacy systems, using obscure protocols, that were never intended to connect with the internet and have never been patched or upgraded. Now that these legacy systems are converting to connected devices, they have opened up vulnerabilities that could affect the operational controls of a power plant, water treatment centers or manufacturing sites. There have already been several public incidents involving unsecure industrial controls within the critical infrastructure that have been targeted by hackers who were able to shut down operations.
These are just a few examples of how IoT has become an integral part of the enterprise space. IoT vulnerabilities are a problem now, and I expect it to only get worse, especially with no defined security standards for IoT devices and 5G enabling higher bandwidth and lower latency capabilities. The time has come to stop thinking of IoT as consumer products and start thinking about the growing number of unmanaged, un-agentable connected devices in the workplace. If IoT security goes unchecked, the consequences to the enterprise will be costly in terms of down time, data loss, fines, brand damage and the well-being of consumers. If we don’t do anything now, the future of IoT will be in the hands of hackers.