The President and the Peloton - A Security Love Story
By Curtis Simpson, CISO
Here's a story we love. The new President has a Peloton and he can't connect it to the White House network. It's a security risk. “Why” you may ask? We love our devices. We want to plug them in, connect them, and bear their fruits right away. But sadly, security is often not considered.
Which is why the recent story in Popular Mechanics about the new President and his Peloton is so compelling. The most innocent of devices is now under review for use by the most powerful person in the world. I want to delve into this a bit more from a CISO's perspective.
Spoiler alert: This is not the first time Armis has encountered a Peloton on a corporate network. We’ve seen them before, so let’s dive in.
Why is an exercise bike a risk worth a national discussion?
The Peloton bikes have been highly successful among consumers, combining smart digital and analog components to deliver highly engaging interactive user experience. As we look at the components themselves, this includes features like a camera, screen, real-time voice capture and audio capabilities, all interacting in real-time with a cloud service. Though even in a home environment such an Internet-connected device poses a security risk, the reward will often outweigh the risk for many home users prioritizing an engaging exercise experience in the home.
However, in a government or business environment, such devices should be looked at very differently. Any smart device, including smart exercise equipment like the Peloton, is fundamentally a computer - or an endpoint. As with traditional computers like a laptop or server, they include components like a CPU/processor, memory, an operating system (Android in the case of the Peloton tablet), and likely TCP/IP software libraries that allow for network communications over common protocols. Depending on the device and its features and as with the Peloton bike, it may also have cameras, biometric sensors, microphones, and screens that are controlled by the computer.
Inherent within any computer and in turn, a smart device is also a target for potential exploitation. Any networked device should be considered as potentially vulnerable with the right to be deemed as definitively vulnerable in the future. If a smart device in a business or government environment is compromised, the impact can be great.
If an attacker is able to successfully compromise a device with audio/visual capabilities (e.g. like a Peloton), there is the potential that they could exploit features like the microphone or camera for example to record and export sensitive conversations or video. Remember, a little over a year ago, the FBI issued a warning on smart TVs for just that reason. For reasons we’ll touch on later, breaking into a non-traditional unmanaged device in a corporate or government environment can also help an attacker become persistent. This persistence can be used to learn more about the environment and enable the attacker to strike when the time is right, with the greatest potential impact.
With a line of sight to business critical assets, a compromised device can be used as a jumping off point to impact what matters most. Examples include medical devices in hospitals, operational technology in manufacturing, automated supply chain facilities and fleets, and more.
I’m getting ahead of myself. Let’s get back to the Peloton using another example of the same popular and substantial IoT device but this time, in a corporate versus government environment.
The Armis Peloton story
As we were working with a new customer on optimizing their upcoming Armis deployment around priority use cases, we were presented with a new finding that had just presented itself to the customer.
Through existing network traffic monitoring and alerting capabilities, they had identified that an unknown and previously unidentified device had recently begun sending large amounts of traffic from a controlled area of their network. The unknown device was appearing at the same approximate time every morning and late evening, only to disappear shortly thereafter. With this being a recent discovery, the Armis solution was deployed to help investigate.
Within minutes of deploying the Armis solution into the controlled network, the device was identified beyond a doubt. It was a Peloton bike. It was rapidly determined from there that an employee with the knowledge and access required to manage devices connected to the network had brought their exercise bike into the controlled environment. Their current projects were causing them to spend an increased number of hours in the office, drastically impacting their exercise schedule; the solution? Bring the bike to the office.
The bike was connected to and communicating alongside business critical networks, systems, and data. All that was known to the investigating team was that an IP address in the controlled environment was unique and communicating large amounts of content. In a truly malicious scenario, this could have been far worse.
This story is fundamentally a reminder of the fact that our business environments have drastically changed, as has the overall consumption of smart technology by staff in our overlapping personal and professional lives. The fact is that our environments are no longer made up of primarily servers, PCs/laptops, and tablets. In fact, more traditional IT devices are no longer the largest part of our device populations.
More and more devices communicating over business networks are now unmanaged IoT, OT, and even IT devices into which we often have little visibility or context at the base level required to effectively understand and manage risk. Our CMDBs were incomplete when our environments were primarily servers, laptops, and tablets. Now that unmanaged devices outnumber centrally managed IT and mobile devices in even the most traditional environments, the CMDB has in many cases taken ten steps back.
Our environments have changed, almost overnight. The sheer number of vulnerabilities being disclosed around unmanaged, IoT and OT devices and the news stories around how these devices are growing in number and frequency. Even top US intelligence agencies have issued a number of critical advisories as of late that directly involve the risk of these devices remaining unidentified and unprotected to enterprises and government entities.
Our environments have changed as has the potential for a significant attack to exploit an often limited understanding of how these changes place our business at greatest risk.
A device by any other name is still unmanaged
For decades, our environments were comprised of primarily managed IT devices, with known outliers and a handful of IT devices that we could never quite find or track, but a small overall percentage. Now, at least 40% of most environments are made up of devices where, like the Peloton, little more than an IP address and some basic traffic details are known about the device.
Similarly, many of the highly effective security solutions within our stacks have rapidly become less effective or irrelevant in the face of this new form of computer or endpoint. Many traditional solutions were designed to be effective when they could actively interact with a device, often through an agent. This model is fundamentally not applicable in terms of critical OT devices and networks or commonly walled off IoT devices that only respond well to expected communications and commonly fail when used outside of their basic streamlined purposes.
This general lack of visibility is having an impact on our ability to truly develop and execute the most effective strategy in protection of our evolving business and its critical strategy.
If we come back to the basics and how we’ve built and executed effective risk management strategies over our careers, it first comes down to understanding what matters most to our business - and secondly, understanding what is impacting that which matters most at greatest risk. Based upon this information, we can establish and execute a strategy that has the greatest impact on cyber resiliency within our organizations.
From a technical perspective, this truly means that we must establish and maintain a continuous understanding of what devices are running on our networks and which have the greatest opportunity to directly or indirectly impact critical assets, systems and services that are in direct support of core and critical business solutions and strategies. This applies even to control planes or backplanes powered by IoT, like our actual networks, and the need to continuously understand whether the underlying devices are at risk or in the process of being actively exploited.
Efforts such as segmentation remain an important part of our risk management strategies. However, segmentation is not a strategy on its own. Sooner, we should consider strategies like safeguarding and ensuring the rapid recovery of business critical solutions or services and their underlying technologies as the strategy. This strategy is in turn empowered first through an understanding of what we have, how our environment intercommunicates, where we’re most at risk, and when data driven segmentation or other efforts might support a corresponding risk reduction strategy.
To be effective, our visibility strategies should include the adoption of capabilities that do not rely on agents and active interactions with devices but rather perform in a passive, agentless manner, avoiding any disruption to our business environments. Maturing our programs with solutions that can provide this integrated context and insights can help our teams not only identify when a Peloton is being connected to the network, but actually enable a policy-driven approach to address and remediate this situation, if necessary.
These devices are being introduced into our environments at a growing rate that shows no signs of slowing down. Vulnerabilities associated with these unmanaged devices, both business critical and not, are being disclosed at an equally breakneck pace, as are the attacks associated with their exploitation. However, it's not all doom and gloom.
What's truly needed to succeed in this quest? A central pane of glass providing visibility to all devices in our environments, along with their intercommunications and deviations in behavior that show signs of malicious or concerning activity with business context in mind. This enables risk-based alerting, enforcement of policies, and enriching other capabilities in the stack with context about unmanaged devices is truly what's needed today and is the foundation for success. By applying the modern and effective passive approach to continuously discover, identify, and establish a contextual understanding of every networked device across the business environment, you can gain an understanding of what devices are having an immediate and material impact on programs around you. Even when that is a Peloton connecting to your network.