by Nadir Izrael, CTO & Co-Founder
Last week the hit HBO show Silicon Valley had a storyline that was near and dear to my heart. The episode showed the team from Pied Piper resorting to the use of Wi-Fi Pineapple devices for a man-in-the-middle (MITM) attack that misdirected attendees of the Hooli user convention (HooliCon) to secretly force downloads of their app onto the attendee devices.
Once again art imitates life: this time where malicious devices are used to misdirect users and gain unauthorized access. Now that may seem a little harsh to say against the "heros" of the show, but at Armis, we have seen how devices like Pineapples have been used maliciously to infiltrate organizations. This episode illustrates a very real issue facing businesses in our connected age: the challenges of discovering all of the connected devices in the workplace, and what they are connecting to.
Discovering The Pineapple
A WiFi Pineapple is a classic wireless honeypot that allows users to carry out man-in-the-middle attacks. Connected clients' traffic goes through the device, which gives the hacker numerous opportunities to exploit the users. We have discovered these for our clients for some time. Honestly, it is always a bit unnerving.
Like many of our clients, the team at the fictional HooliCon was blind to the existence of these devices and what they were doing. The only way to find them was to call in a "tactical response team" sweeping the conference floor with Yagi antennas. That is not a scalable strategy.
This is a very reactive approach to addressing wireless security issues in this new millennium. It' great fodder for a TV show, but not for businesses looking to stay ahead of those who wish to break into your network and gain access to your devices and data. And while a malicious hotspot is easy to label as a bad actor in your environment, there are a lot of other devices you need to be equally concerned about.
Discovering IoT Devices
The fact is you don't need hidden wireless honeypots in your environment to be exposed. The explosion of IoT devices with new connectivity, access, data, and promised efficiency bring exposure, too. These devices are by their very nature designed to connect, usually wirelessly. This is why the Pineapple was so effective. Unfortunately for most of these devices, security is an after thought. This is a critical exposure given you can't put an agent on the devices to protect them.
These IoT devices are not just the smart phones, smart TVs, watches, digital assistants and more that employees and facilities may be walking into your businesses. Wireless devices are at the core of the devices seen throughout the health care organizations from heart monitors to insulin pumps to MRI machines. They are at the heart of new millennium patient care. And they are not adequately protected. Nor are the new wireless devices on production lines industry and manufacturing tracking quality and activity. These devices are part of business critical processes, but in many cases have no protection. And no, air gapping them is not enough. But I'll tackle that in another blog shortly.
You Must See All Devices
Businesses do not have a choice: they must see all the devices in their environment (managed, unmanaged, IoT, etc.), and know the connections those devices make in real time. You can't rely on reactive Rapid Response Teams or Yagi antennas.
Visibility is the first step. Then you need to profile and track the devices, to understand if they are behaving correctly - or suspiciously. The last step is control; specifically, the ability to stop unmanaged devices from connecting to other devices or networks. Connections that may be via Wi-Fi, Bluetooth, zigbee, or any of the other new protocols in business today.
Businesses need this visibility and control not in reaction suspicious behavior from devices perpetrated by a struggling start up (Pied Piper, that is) on an event floor. No, businesses need this as a part of their standard security processes in a world where new devices are the norm, and traditional security solutions are not enough.
Who knows, perhaps we'll hear from Hooli IT sometime soon. But in the meantime, we'll have to wait for the next episode to see the fallout from last week' show.