While walking down the street the other day, I saw something that at first struck me as funny: a technician in an orange vest was messing around with a junction box on a pole that carried multiple devices, including street cameras, traffic lights, wireless communication equipment, and solar panels. He seemed to be accessing the traffic lights, but in reality, he could have been hacking the cameras, the local switches or any other equipment that was installed on that pole. This happened in broad daylight, yet nobody thought to ask the guy what he was doing.
After all, he was wearing an orange vest!
It dawned on me that this is exactly how cyber breaches begin — through a seemingly innocent person hacking a device and obtaining access to the network. This scenario is less likely to occur at an enterprise since most enterprises have gates, guards and an access control system that prevents outsiders from messing with local equipment. However with IoT, it is very likely.
The IoT Ecosystem is Complex
IoT devices are designed to be deployed in large quantities, perform basic functions and send data back to the cloud. They are usually provided “as a service“ for a customer and, as such, are not owned, installed and maintained by that customer. More often than not, IoT devices are specified and bought (or manufactured) by one party, installed by another, and then operated and maintained by a third entity. This is very different from traditional IT, in which an enterprise IT department buys, installs and manufactures its own equipment (sometimes with the help of the manufacturer).
Having different stakeholders increases the chances of creating security vulnerabilities. For instance, a customer might like to purchase an IoT device. He’s interested in performance, reliability and cost, so he’s less likely to explicitly specify security requirements for the device. The integrator who bids for the projects wants to maximize profits and offer the cheapest IoT devices possible (sometimes they will buy off-the-shelf components and install them in a casing, creating an “ad-hoc” IoT device). This process encourages using less secure components, often from an unverifiable source.
Once purchased, the integrator usually uses a smaller contractor to install the devices. These “technician joes” are not proficient in security. They will install and connect the device, test its connection, and that’s it. They are not aware of complex security configurations and often leave the devices open to the Internet — sometimes, even with default credentials. For instance, if a technician connects a device to a local switch, but leaves other ports open, the ports allow intruders to access the network.
Mission Impossible Hacking Style? Not Quite
The problem worsens when a malfunctions occurs or when routine maintenance is required. Another technician will access the device, run diagnostics or connect a laptop to the network, exposing the device to external threats. With more devices installed in public places, it is not uncommon to see such technicians accessing connected devices. This can lead to complacency, which enables sophisticated attackers to masquerade themselves (wear blue overalls and an orange jacket) and physically access a device or network equipment. If the device or local communication equipment has not been properly configured and hardened, then such an attacker could easily use this as an entry point and access the entire network. Even non-malicious technicians could be a threat: What’s to stop a technician from remotely accessing a device such as a security camera and viewing the video feed from his home?
With IoT service providers currently having zero visibility into the security of their devices, such an intrusion could lead to the infection of multiple devices without anyone realizing it until it is too late.
The IoT ecosystem is fragmented and will continue to remain so for the near future. With little ability to control the quality of devices, including their installation and maintenance, IoT service providers must change their mindset to “Security Monitoring by Design.” In other words, the need IoT security monitoring solutions that will enable them to detect, in real-time, abnormalities and hacking attempts — and even identify simple configuration errors that could lead to greater misery down the road.