Securer Things: Cybersecurity Awareness for IoT

There is little doubt that the state of cybersecurity is under a constant barrage of criticism and gloom.  From bad press affecting the very livelihood of businesses, and misanthropic-like  attitudes toward technology in general, we can forget about the inclusiveness that this same technology brings. The innovation of capabilities like adaptive gaming controllers and or software that level the field  for persons with disability is arguably one of the best vision executions of improving life. You are invited to witness a child seeing colors, hearing, being able to play a game, or actually communicating with loved ones more readily for the first time in their life if you do not agree. Actually, you are invited to witness this in general, it will undoubtedly brighten your day and outlook.    

Yet, these same marvels of human creation appear often to be developed with security as an afterthought. This is not a sentiment meant to disparage our innovators. The internet is still the wild west, and we need to recognize that suddenly instituting proper security on all levels is no easy task, for many reasons. Slowing down in development to incorporate and test can interfere with not only the scope of a project and its time to market, but also may wreak havoc on the creative genius that brings new IoT devices to life at all.

 Unfortunately, until our DevSecOps discussions and pipelines feel as natural as putting on a seatbelt before driving down the road, threat actors will take advantage of security flaws inadvertently served up on a platter. We do not have to search far or wide to find real-world examples of IoT gone wrong. Certainly we have all heard reports of compromise involving:

• Baby monitors and cameras - authentication bypass allowing some creep to view, record, or otherwise manipulate them.
• HVACs -  buffer overflows that crash systems, causing extensive damage to property, or RCEs allowing lateral movement into additional devices on the network.
• Routers - botnet activity, backdooring, network control (including access for sell).

The consequences of a successful compromise are no secret by now. Spyware, ransomware, and data exfiltration/manipulation/destruction services unfortunately have active markets, and their vendors operate under varying degrees of perceived morality and tactics.  Even our healthcare providers are not exempt from attack, and alarmingly, are increasingly targeted. Fax machines, printers, and workstations are notoriously harvested for PII, but further, IoMT devices as unassuming as IV pumps are landing on exploitation radars as well. 

The basic truth is that IoT devices are often simple purpose devices and do not possess the kind of built-in security that something  so integrated in our personal and business networks should have. Much ado could also be made about the apps they include for our convenience, which leave alarming gaps in security. In fact,  simple purpose apps in general  (for example the recently disclosed WiFi Mouse App RCE exploit) can quickly ruin the integrity of any otherwise secure network . With compromises as far-reaching as the aptly named Ripple20, no industry or use-case seems immune.

The list highlighting potential security failures for IoT devices includes but is not limited to: 

• Default or weak login credentials
• Improper authentication measures
• Insecure update methods
• Unpatched and or EOL software
• Unencrypted communication protocols transmitting information as “cleartext”
• Accessible debugging and other maintenance services that return sensitive information 
• Improper data wiping (PII and passwords are easily found in devices resold or donated, as Morgan Stanley can attest to)
• Lack of investment or interest in security of the product at all by the manufacturer
• Purposefully introduced security issues from supply chain corruption 

The implications of the list by itself is worrying enough, and when any element of that list potentially applies to every IoT device you may interact with daily (or is continuously connected to the network), the task of security may seem daunting. Consider the following  common or increasingly common potential targets beyond basic networking devices (servers, routers, and access points):

• TVs
• Fax machines
• Printers
• Cameras
• Security systems (panels/some sensor types)
• Thermostats and HVAC systems
• Refrigerators
• Networked vending machines
• Lighting 
• Vacuum units (like roombas)
• Tablets
• Fans
• Thin clients/ devices for customers
• Toasters and microwaves if you’re that futuristic
• Washers and dryers
• Game consoles and remotes
• Speakers/audio devices
• Phones
• PA devices (like alexa)
• Pet-sitting devices
• Treadmills/bikes/workout equipment
• Vehicles
  
  

Securer Things: Cultivating Responsible Use of IoT

With great integration comes great responsibility. For the 18th year running, October is declared to be Cybersecurity Awareness Month. This year’s theme as promoted by CISA and the NCA is “See Yourself in Cyber”. One consideration that this campaign highlights is that every individual has a role in contributing to their security online by, as CISA puts it,  making “smart decisions whether on the job, at home or at school – now and in the future.” 

Taking action as a smart decision maker can occur in a variety of ways. Consider the following recommendations:

1. Set devices to automatically update

Note that many will update themselves regularly, but not all. For those applications and devices that do not automatically update, locating and bookmarking vendor websites will streamline keeping current with critical patches and firmware updates. Remember, do not use a third party website for this.  Take it a step further by setting a calendar reminder to periodically check these, a simple task that could save you a headache down the road. 

 2. Maintain a device and software inventory

This could be as simple as Identifying the device, the OS, version, and the IP/MAC addresses. This simple act will greatly improve monitoring your network in a variety of ways which is covered more in depth here. Regulations on businesses for security controls  should be followed per official documentation. 

3. Enroll in security-focused services

Organizations are recommended to enroll in security and response focused services like those provided by an MDR business, which use powerful security tools (like SentinelOne) to institute endpoint protection for regular monitoring of managed (and to a degree, unmanaged) devices. 

4. Regular audits to identify unused devices

Promptly removing unused devices and properly removing deprecated or unused devices (and applicable accounts) from any network access will help keep your network secure. Ensure that those devices are properly wiped of your data when they are no longer used.

5. Thoroughly review ACLs

Beyond Geo-IP blocking, (which essentially only deters bots and script kiddies),  review ACLs and consider implementing connections from bastion hosts only. This ensures that access to these devices is ONLY allowed through specified internal hosts and users.

 6. Make multi factor authentication mandatory

MFA is a critical piece of internet and password security. Enable it. Require it.

 7. Reference NIST resources for guidance

No cybersecurity recommendation article is complete without specific reference to consulting NIST resources. Their IoT Program offers standards and guidance relevant across industry, agency, and consumer integrations. Further, an older but still relevant NIST  publication dives into incorporating IoT as a safe and responsible member of your household. 

Think: I See Myself in Security

The heart and soul of technology is about easing the burden surrounding tasks and communication. Peacetime innovations such as IoT capable devices should be celebrated as we safely integrate them into our lives, not shrouded in fear or met with repugnance. It will take some time for the hurdles of security integration in IoT development to be overcome, and devices -as well as access to them- will always need to be carefully managed. In that spirit, we would like to leave you with some additional quick-wins for security that go a long way. Let us all truly see our place in cyber no matter our industry, role, or experience. We wish you a happy and informative Cybersecurity Month 2022!