IoT. Is one called an Internet of Thing?

In several recent engagements, we came across some IoT (Internet of Things) devices within client networks. There’s a growing presence of these ubiquitous devices within corporate environments. They measure, they detect, they capture, they sense. Then they send the info to some app on your phone.

These devices make life easier. Safer. More convenient. Many times, just simply accessible when it was not possible before.

But there can be risks. I’ve always held the belief that security has an inverse relationship with accessibility. The more doors you have to enter a building, the more accessible it is to get inside. But with this accessibility to authorized persons with keys to the doors, likewise, the risk for a burglar to pick the locks to break in increases.

The introduction of IoTs with varying services for access from the public Internet is similar. Each service exposed is an entryway to the device, and into your internal network. These entryways have been the source for data breaches over the years. An aquarium thermometer was the gateway for a data breach into a casino several years ago. Point of sales devices may not technically be referred to as an Internet of Things but they are similar in that they have 1 main functionality through Internet connectivity.

All of the above incidents is due to an attacker gaining a foothold of a device built primarily for singular function. It may not have an unpatched web server with a vulnerability for SQL injection or cross site scripting. It may not require authentication with weak passwords, easily brute forced. Following the initial compromise of the Internet facing device, all of the above breaches were successful because further access into the internal network was possible from the IoT or PoS. There were no firewalls, or segmentation of the internal network to avoid servers access from these devices.

Segmenting networks can make a lateral move across the internal network more difficult. PCI compliance requires segmentation to “isolate the cardholder data environment from other networks”, including a formal pentest to verify the segmentation methods as opposed to a cursory review of the controls.

Furthermore, if the Iot network has a wireless access point, it should be cautionary if it’s secured with a Pre-Shared Key (PSK). Whenever authorized persons with knowledge of the PSK leave the organization, it needs to be changed. Disgruntled former employees account for a large percentage of data breaches because of the foreknowledge that they have of an ex-employer’s network. PSKs should be strong. PSKs should be on a rotational basis. An alternative is to use Enterprise mode for WPA2.

IoTs are everywhere. They outnumber us. At an exponential rate. By 2025, it is estimated there will be 8 IoTs to every human alive. They need to be secured and treated as devices susceptible to attacks and even capable of being the gateway or source for an attack.

Resources:
https://resources.infosecinstitute.com/pentesting-pci-dss-compliance-6-key-requirements/#gref