The new, stealthy threats to the Internet of Things – and how to stop them
| ATLANTA
For newcomers to digital security, the possibilities and risks of the Internet of Things can boggle the mind.
We may have as many as 500 connected devices in our homes by 2022, according to an estimate from research firm Gartner. For many of us with only a handful -- or no -- connected devices today, that’s a lot of possibility.
At the same time, the market for security in the IoT will hit nearly $30 billion by 2020, according to an estimate by Markets and Markets. That hints at a lot of risk.
Why is that? While the intention of IoT device makers is to increase efficiency and productivity, they are racing to market with little to no concern for cybersecurity. As a result, these devices bear significant security weaknesses, leaving organizations vulnerable to attack and raising major privacy concerns.
Connected cars, medical devices and security cameras have all been successfully exploited. These intrusions, however, have been largely “traditional” attacks, exploiting the same connections that have provided hackers an entry into everything from Target’s point-of-sale terminals to the emails of Sony executives.
But the risks to the IoT are going to come from places traditional cyberdefenses don’t even consider.
Reading through the presentations at this year’s top conferences for hackers -- DEF CON and Black Hat, which run during the same week of August in Las Vegas -- I saw stark evidence that the IoT is open to attacks that are anything but traditional.
For example, researchers at Cognosec revealed that ZigBee, an open global wireless standard used by IoT device manufacturers like Motorola and Samsung, has critical vulnerabilities that can allow a hacker to easily compromise an entire network. (In general, talks about wireless and software-defined radio as a means of digital compromise dominated the conversation at these conferences.)
Another corporate vulnerability involved hacking into space. Colby Moore exposed how easy it is to access Globalstar’s GPS satellite network, the systems used to track sensitive cargo including military supplies, nuclear materials and more. Unbelievably, Globalstar does not encrypt these communications and the only safeguard to ensure the data is shared strictly between appropriate parties was broadcasting using a spread spectrum, a kind of physical division of each transmission into hard-to-reassemble pieces that Moore was able to reassemble. Doing so would allow Moore to fake his own broadcasts. If he was to disable a Globalstar chip on a cargo shipment, he could broadcast that the shipment was on its proper route, even as he stole it and took it in the opposite direction.
A software exploit presented by Ang Cui at Black Hat called Funtenna can remotely and anonymously exfiltrate data from IoT devices without any Internet access. It intentionally comprises emanation by turning an IoT device into a radio transmitter –- allowing hackers to smuggle data without using the corporate network and, therefore, bypassing all security protocols. Funtenna can turn a simple printer into a radio frequency (RF) leak that can penetrate a 2-foot concrete bunker. In fact, Funtenna-infected IoT devices transmit data in a way that is not currently monitored in the network, revealing a significant and complicated vulnerability in the enterprise.
One highly anticipated talk at DEF CON mysteriously disappeared from the agenda but hints at further, stealthy paths to exploiting the IoT. Picture the following: you walk into your favorite coffee shop or public library and find a secluded spot to put a small transmitter. That transmitter, called ProxyHam and created by Ben Caudill, claims to use a 900-megahertz radio link to anonymously access a WiFi network from as far as two miles away. If someone were to attempt to trace the connection from the Internet to the user at her keyboard, the investigator would only find ProxyHam’s IP address and the wireless network at the coffee shop, ultimately making the user impossible to identify and track.
This low-tech device cannot cause a massive data breach, but it could easily exfiltrate passwords and encryption keys in just a minute or two. Despite being developed for the purpose of enhancing user privacy, ProxyHam created another threat vector for hackers to access corporate environments – and do so without being detected. (Caudill has reportedly since scrapped the ProxyHam).
While it would be ideal for every IoT device to come pre-installed with enhanced security, this is a pipe dream considering the exponential number of devices being developed each day and the lack of IoT security standards or regulations currently in place. ProxyHam and Funtenna are just the first of many untraditional technologies that can be used to anonymously compromise corporate environments. As such, cyberthreats are only going to increase, and hackers will continue to find easier, faster and cheaper ways to consume sensitive data and compromise environments.
How do we fight back?
The enterprise must stay up-to-date on these developments and incorporate IoT into their security strategies. A good first step would be to dust off the bring-your-own-device (BYOD) policy and revise it to include the multitude of other devices and personal clouds that could be residing in corporate environments.
Another opportunity is to increase the frequency in which asset inventory in conducted. You’d be surprised how many companies simply don’t know what’s connected, or trying to connect, to their networks. By maintaining complete situational awareness, especially over third-party devices using uncommon protocols, enterprises can better work with in-house security teams and vendors to ensure that devices are configured properly, and that they are only communicating when necessary.
We’re in somewhat unchartered territory here, but attacks on the IoT, stealthy or not, show no signs of stopping. To speak on this subject further, and provide tips to protect your corporate airspace, I will be presenting at the Security of Things Forum in Cambridge, MA on Sept. 10, 2015.
