The Dark Side of the IoT: Potential Threats Abound
With the Internet of Things coming to every business in one way or another, it's critical that organizations brace themselves for the risks that come with an around-the-clock network of devices exchanging data. And make no mistake: The risks are numerous, and the list is getting longer all the time.
Like it or not, the IoT is a tempting new target and is also a platform for launching new approaches to tried-and-true attack strategies.
What's more, the nature of the IoT — embedded devices, convergence, cloud-based controls, and a wide variety of communications protocols — adds some serious challenges to IT security teams' to-do lists. As Ed Skoudis, faculty fellow and penetration testing curriculum lead at the SANS Institute, put it during a keynote panel at the RSA Conference in San Francisco in February, "This stuff gets complicated really, really fast."
In other words, IT security teams need to come at securing this fast-growing area with new tools, fresh perspectives, and some serious risk analysis. In a previous post (LINK TO FIRST POST), we established the push and pull of the IoT — that it represents significant business opportunities that more than balance out this expanded universe of threats. Now let's drill down into this growing threat profile for a better understanding of what organizations should expect to face.
Ransomware has evolved into a favorite method for attackers, but the IoT is allowing this category to evolve into something much more nefarious. In the pre-IoT "old days," ransomware attacks were very specific: The bad guy gets access to some data, locks it up, and asks for ransom to get it back. But attackers have figured out that the IoT allows them to achieve the same result in many new ways.
For example, attackers can use the IoT to literally shut down portions of a business. We saw this last year when attackers took over the room key system of a hotel in Austria. There's potential for attackers to take over manufacturing equipment, traffic light controls, or even police and fire dispatch systems. The possibilities are downright dizzying.
Even seemingly mundane IoT assets could help bad guys achieve their objectives. Skoudis told the RSA Conference audience that a recent attack on the San Francisco Transit Authority interrupted its ability to take payments, but had no affect on the ability to operate its MUNI trains. SFTA simply allowed passengers to ride for free until it had shored up the vulnerability, in this case without paying the ransom. The next time, the SFTA may not be so fortunate.
Things can get even more esoteric when attackers start using the IoT to make it seem like there's an immediate threat.
"If I can make somebody believe I have control over something, this is really using psychology to extract money," Gil Sorebo, chief cybersecurity strategist at government and healthcare consultancy Leidos, said during a panel discussion at the RSA Conference.
That psychology will become even more powerful as attackers get more brazen with their demands. So don't expect future attacks to ask for the mere $1,800 ransom attackers sought from the Austrian hotel. Eventually, the bad guys will figure out their targets' optimum pain threshold.
"They're working on their pricing strategy," Sorebo quipped at the RSA Conference.
The potential damage that can be inflicted in an IoT DDoS attack is downright nerve-wracking. The IoT-based attack that used security surveillance cameras to bring down more than 1200 web sites around the world last fall will seem like a trifle compared to the possible scenarios the security community is envisioning.
Take a so-called Smart City. San Diego, which has jumped to the forefront in connecting its array of services via the IoT, could be crippled in many ways by well-thought-out attacks.
"Imagine a hacker targeting a city by compromising IP cameras and bringing down police and fire department eyes on the city," Chad Bacher, senior VP of product strategy and technology alliances for security firm Webroot, said during an RSA Conference presentation. "It's exponentially more risky than a traditional IT environment."
Thanks to the IoT, the sheer number of possible points-of-entry and devices to protect is steadily growing beyond what most IT teams can keep up with. Continuing with the Smart City example, Bacher noted just how expanded of an attack vector landscape the IoT presents, with remote IP cameras, traffic signals, connected cars, sewer and water delivery systems, electrical grids…the list goes on and on. And all of these endpoints are talking to each other, creating a monumental challenge in managing and securing all of those data flows.
Ed Fok, a transportation technologies specialist with the Federal Highway Administration, got RSA Conference attendees thinking hard when he offered up a scenario in which hackers cut off the warning systems on self-driving cars, thereby preventing alerts from warning drivers of pending accidents. Suppressing an alert could have implications in a number of IoT-enabled settings, raising concerns of hackers being able to actually "weaponize" IoT devices.
The takeaway is that security teams tasked with locking down IoT devices and networks have to turn over every rock in doing so.
"We're seeing entry points that we've never seen before," said Fok, declining to offer detailed examples lest they tip off the bad guys. "Let's just say we're looking and leave it at that."
The potential for IoT devices and systems to be used by a disgruntled employee or contractor to launch an attack on their employer represents fertile ground. And given that an insider threat field guide recently released by Intel offers up a matrix of more than 60 attack vectors, there's a lot of possibilities IT security teams must consider.
Changing risk profiles
The evolution of all of these attack categories serve as a reminder that the IoT increases the speed and scope with which risk profiles are changing. The implications for network infrastructure are wide ranging, as scanning and monitoring activities need to be ramped up, as do network intelligence capabilities. In essence, organizations need to work harder on preparing to be prepared.
"We're already trying to think 10-15 years down the road, what kinds of resilient networks do we need to put in?", Gary Hayslip, CISO for the City of San Diego, told RSA Conference attendees. "I'm very paranoid about these new things we're bringing in."
And well he should be. But that paranoia shouldn't stop organizations from taking full advantage of all the IoT has to offer. That said, they must take every necessary step to ensure that they've armed themselves sufficiently to prevent the IoT's inherent vulnerabilities from spiraling out of control.
Addressing the dark side needs to start with your network infrastructure. Learn more about the IoT, its impact on your organization’s network and how ALE can help you address it.