SHIoT HAPPENS: Have Hackers Pwned Your Access Points?

By Joe Lea, VP of Product

It seems like the internet-of-things (IoT) is taking over the world, and their use in the enterprise is growing at a rapid pace. In fact, nearly every respondent in a recent McKinsey survey said their organization has an IoT initiative on the roadmap. So if it seems like everything these days has an IP address, you’re right. And at the center of this constellation of devices is the glue that keeps them all connected: the humble – and highly vulnerable – wireless access point.

Network Devices Are Unmanaged Devices

Network devices are a unique phenomenon in today’s cyber landscape. Even though they handle all of the crucial information we wish to protect, they have little or no protections themselves, especially when compared to PCs and mobile devices. While PCs and mobile platforms have well-founded operating systems (OSs) which include inherent mitigations, network devices have only a limited OS if any, with very little mitigations in place.

This makes it much easier to exploit vulnerabilities found in them, while in PC and mobile such vulnerabilities are often unreachable and thus pose no real threat. Furthermore, while other platforms are protected by endpoint security measures forged by years of experience in the fight against cyber threats, network devices aren’t protected by such security measures. As a result, network devices are an extremely valuable prize for hackers, as they provide full access to the desired information, with very little defenses to stand in the way.

Access Point Vulnerabilities And Attacks Are Real

In the first half of 2018, the world was hit with VPNFilter—a malware attack that infected over 500,000 wireless routers and network-attached storage (NAS) systems. The FBI issued a warning for VPNFilter in June of 2018 and stressed that attackers could use a device compromised with VPNFilter to monitor activity, steal website credentials, and monitor Modbus SCADA protocols. That is true, but it was also sort of a “best case” scenario for a VPNFilter infection.

Then, later last year, Armis disclosed BLEEDINGBIT, two critical, chip-level vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki, and Aruba.

These proximity-based vulnerabilities allow an unauthenticated attacker to take control over an access point and move laterally between network segments, creating a bridge between them — effectively breaking network segmentation. Once attackers control the network devices, they gain simultaneous access to all network segments and can even eliminate segmentation altogether, proving enterprises cannot depend on network segmentation alone.

You Can’t Protect What You (Still) Can’t See

The wireless access points on your network that you know about expose you to enough risk as it is. But what about the ones you never knew were there in the first place?

The proliferation of cheap wireless access points and the need to connect more devices or to be able to connect wirelessly to a closer access point in order to get a stronger wireless signal results in users taking things into their own hands. You might have wireless routers and access points connected to Ethernet ports on your network that you aren’t aware of. Without visibility of those devices, there is no way for you to ensure they are properly configured to meet security policies, or that they are patched and updated. You also can’t monitor rogue devices to identify suspicious or malicious activity so you can take action before a compromised device becomes a compromised network.

Don’t Let Wireless Access Points Be Your Achilles Heel

Wireless access points are one of the original IoT devices, and their exposure to the Internet puts them at risk of compromise. You need to recognize that wireless access points are an IoT risk and that traditional security tools and practices are not designed to secure or protect access points in today’s IoT world.

The VPNFilter attack was a wakeup call, and there are some simple things you can do today to minimize the risk. You should start by ensuring default accounts and passwords are changed or disabled on the devices you’re aware of and making sure that the available security controls are properly configured to prevent unauthorized access.

Ultimately, though, you need to have security tools built for IoT—capable of tracking the devices that connect to your network and providing protection even for devices that may not be able to be patched, updated, or directly secured through software or agents. You need a different approach to security that works effectively in an IoT world.