Many times the threat of not securing IoT devices is not an attack on the device itself, but an attack on the company's larger infrastructure resulting in financial and productivity loss. Gartner claims there are will be over 7 billion connected “things” for business use by 2020. International organizations in particular must now ensure they build security into every new IoT system, or face compliance issues from GDPR and NIS Directive regulators. US firms are going to invest the most in IoT in the coming 12 months: $2.8m. There’s a sizable minority (42%) of organizations involving security teams early on in IoT projects, but conversely the largest number globally (72%) who claim they always define their security needs during projects. However, just 34% said the CISO is ultimately responsible for IoT security, among the lowest worldwide. The company board may discuss the incident recovery plan but have little oversight of the way the company is securing IoT devices in the first place.
The following are real examples of businesses not using IoT security best practices and how they were compromised.
1. Fish Tank Thermostat at Casino
A North American casino recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank’s data. Anomalous activity detected:
- Transfer of 10GB outside the network
- No other company device had communicated with this external location
- No other company device was sending a comparable amount of outbound data
- Communications took place on a protocol normally associated with audio and video
The tank’s communication patterns included sporadic communications with company devices, but that activity was in line with similarly configured IoT devices. The external data transfers, however, were deemed highly unusual by Darktrace’s AI algorithms.
The data was being transferred to a device in Finland where an attacker had managed to gain control over the tank. This was a clear case of data exfiltration, but far more subtle than typical attempts at data theft. By targeting an unconventional device that had recently
been introduced into the network, the attack managed to evade the casino’s traditional security tools.
2. Architectural Firm Drawing Pads
Designers at an architectural firm were using smart drawing pads to enable them to quickly send schematics and drawings to clients and other staff members. Unbeknownst to the firm, the devices were connected to the office Wi-Fi without having changed the default login
credentials. As such, the devices were widely accessible via a range of channels.
The hacker had used the default login credentials that came with the design pad software to take over the devices. Those credentials, along with their public string for SNMP authentication, were publicly available on Shodan, which also revealed that the devices had open ports for HTTP, HTTPS, Telnet, and SIP.
Darktrace detected the vulnerability when hundreds of external IP addresses from around the world made several thousand of SNMP connections to the devices over UDP port 161. Over 99 percent of these connections contained at least one “GetBulkRequest”, an SNMP operation used for the retrieval of large amounts of data. In response to these requests, the devices issued an exponentially larger number of replies via “GetResponse”, some of which contained as many as 397,000 “GetResponse” objects. In 64 cases, the devices uploaded over 1MB of data.
The target IP addresses were likely spoofed. By sending hundreds of “GetBulkRequests” from the spoofed IPs of the target networks, the IoT drawing pads were forced to send back more than 100 times the number of “GetResponses.” This is testament to the power of reflection and amplification attacks. It’s unclear what other devices were used in this attack, but even a small number of IoT devices at the architectural firm were able to generate an alarming amount of traffic.
The target IPs belonged to websites owned by entertainment and design companies, and even governmental bodies. By reporting on the anomalous SNMP requests as soon as they began, the firm’s security team was able to take the drawing pads offline before damage was done.
3. Infiltrated Refrigeration System at Global Food Chain
A fast food chain managed a significant issue where a flaw in the software running on their storage refrigerators could have allowed attackers to change the temperature of the units, which in turn could have caused widespread food spoilage. The reputational and financial costs of recovering from such a scenario could be crippling. Darktrace AI spotted this latent vulnerability as soon as the technology was installed, as the refrigerators were sending mass-delivery spam emails. Before it had been exploited by a would-be saboteur, the company rectified the flaw.
[See: When Refrigerators Attack]
4. Boardroom's Video Conferencing Unit
Dripping data out slowly over an extended period of time is more likely to go unnoticed, and this was the intention of attackers that broke into the systems of an international sports manufacturer.
New video conferencing equipment in the company’s boardroom was exploited via an unauthenticated remote access tool, and small audio files were leaked to an unknown external server, bit by bit. Playing a high-risk game, with highly confidential boardroom conversations being targeted, the attackers were careful. The individual leaks were never over 10 KB and were performed within office hours, so as not to trigger suspicion.
The hack could have been highly successful if it had continued for long enough. But according to Darktrace AI, the behaviors that this device, the video conferencing system, was manifesting were highly anomalous. That’s because it had learnt how that device normally behaved, and recognized the difference, even though the changes were slow and slight. It saved the company a major data breach.
5. Company Vehicles
Think about securing your company's vehicle fleet when purchasing smart cars. When you buy a new car, internet connectivity is often one of the touted features. Your car can download maps, stream music, or serve as a hotspot for the other devices in your vehicle.
Unfortunately, car companies either don’t know how to secure their vehicles or or don’t care enough to invest the necessary funds. Either way, your life, and those of your employees, are left at risk.
Hackers showed a Wired reporter how it was possible to take control of parts of a Jeep remotely. They weren’t limited to the obvious internet-related functionality, either. From the comfort of their computers, they could disable the vehicle’s brakes.
6. Luxury Goods Manufacturer Fingerprint Scanner
A global luxury goods manufacturer used biometric fingerprint scanners to restrict access to its warehouses. Unbeknown to the security team, an attacker exploited vulnerabilities in one of these connected devices and started surreptitiously changing the biometric data in a suspected attempt to gain access to the highly secure facilities.
The compromise was not detected by the company’s traditional security tools, because the targeted device was not monitored by the IT security team and, notwithstanding this, the activity was too novel to trigger alerts that flagged only ‘known’ malicious behaviors.
Darktrace AI instantly detected the foreign presence, as the infiltrated device started to exhibit highly anomalous patterns of behavior. The compromise was swiftly addressed, and the company unharmed.
7. Office Coffee Machine
Imagine your worst Internet of Things nightmare: Your smart devices attack you. Now imagine a bigger nightmare: Your dependable “smart” coffee maker stops serving your morning brew. What’s the worst that could happen? A hacker burns your coffee? Actually, Avast was able able to configure a coffee maker was into a ransomware machine. Like many smart devices, the coffee maker came with default settings and a Wi-Fi connection, so it worked right out of the box. No password was required to connect to the coffee maker over Wi-Fi, so it was easy to upload malicious code into the machine.
The coffee maker hacked is probably much like one you have in your office. It makes coffee when you push a few buttons on the machine – or when you operate it with an app on your mobile phone or tablet.
8. Remote Access Medical Devices
The proliferation of IoT medical devices (IoMT) will increase security vulnerability in hospitals and clinics. Although there are many articles describing the personal danger of cyber attacks to patients, the financial damage is far more realistic and is what lies at the heart of cyber attacks on the healthcare industry. This means that a new paradigm is required in order to provide full threat prevention to these organizations.
Due to the vast amounts of personal information that hospitals and other healthcare organizations store and transfer electronically, these institutions make for attractive targets to attack. This valuable data can be used to obtain expensive medical services and prescription medications, as well as to fraudulently acquire government health benefits. It is no wonder then that this information can fetch as high as $350 per record on the Dark Web.
The critical nature of healthcare environments also means that many of those involved in the healthcare process often require immediate access to patients’ data across a large range of devices and applications. As a result, downtime to update or patch systems is not an option that is easily afforded. Watch how easy it was to exploit this Ultrasound machine. In addition, this large range of medical devices from many different manufacturers makes for an IT security manager’s nightmare to not only monitor them but also integrate a security policy that incorporates them all.
Tips to keep your IoT Devices Secure
Many IoT devices first connect to your home network via their own Wi-Fi network, which is intended to be used just to set up the machine. Ideally consumers immediately protect that Wi-Fi network with a password. But many devices are sold without a password to protect the Wi-Fi network, and many consumers don’t add one. This is a major vulnerability, because that Wi-Fi network is public in that it is visible to anyone. So hackers can see it and use it to compromise your smart device, for instance by uploading malicious software to it. Once that device is compromised, other devices in the home can later be hacked, too. In fact, the entire network can be accessed via one smart device. Bad actors can even access the computers and mobile devices connected to the network.
We recommend using the Department of Homeland Security's IoT/Mobile Device checklist. If you feel your cybersecurity plan isn't strong enough to defend against IoT hacks, schedule a free consultation with one of our cybersecurity experts now. We will be glad to find the gaps and help build your plan to protect your devices and more.
If you're ready to take the next steps, you could benefit from the following IoT training:
- THINK: IoTBIZ - Find the next scheduled course date
- BUILD: Certified Internet of Things (IoT) Practitioner (CIoTP) - Find the next scheduled course date
- SECURE: Certified Internet of Things (IoT) Security Practitioner- Find the next scheduled course date