What isn’t an Internet of Things device these days?! Companies are literally flooding the consumer market with smart chip-equipped devices you can control with your iPhone or Android (which themselves are equipped with smart chips – sigh!). Smart bike locks, smart egg trays, smart water bottles, smart dental floss dispensers, smart baby-changing pads!! These are all real devices.
What’s next?! Smart bicycle seats? Smart toenail clippers? Smart butter boxes? Smart golf balls? Actually, I kinda like that one. After I hit a smart ball it could tell me where it was, how fast the club was going when I hit it, which way it was spinning, all kinds of little things that really don’t matter much, but that you love to know.
The rub is that almost any of these devices may be a conduit that lets attackers hack their way into your network… your computer… your bank accounts… your life! The same is true for businesses. Maybe it’s the smart coffee pot in the break room, or the smart TV monitor in the Boardroom, or the smart device controller on the CEO’s desk. You may scoff at the danger, and I don’t blame you really. But I see things everyday on our threat intelligence engine that challenge one’s credulity.
Here is an item from this week’s feed about how it’s possible to exfiltrate user data covertly using smart light bulbs. Researchers Anindya Maiti and Murtuza Jadliwala from the University of Texas studied how LIFX and Philips Hue smart bulbs receive their commands for playing visualizations into a room and developed a model to interpret brightness and color modulations occurring when listening to music or watching a video. They can use this to exfiltrate data from personal devices. They can also use this to determine multi-media preferences by recording luminance patterns.
In another article this week, it was reported that Mirai botnet variants were increasingly being developed to take advantage of IoT devices. They are upping the Malware’s ability to run on different architectures and platforms. At the end of July, a live remote server was identified hosting multi-platform Malware that sequentially tries downloading and executing executables until a binary compliant with current architecture is found.
One of the reasons attackers are targeting IoT devices so vigorously is because of the industry itself. Manufacturers are developing products and shoving them into the marketplace so quickly that little proper security planning is being done. Most of the products on the market are not receiving patches and updates, even against well-known exploits that exist in the wild right now.
In my opinion, it’s time to wake up to the reality of what we are doing and apply proper security mechanisms to these devices; they should be treated like any other network device with and IP address. First, don’t connect your devices to the Internet unless you need to. The fact that your coffee pot and washing machine are capable of being run over the Internet is no reason to actually do so.
Next, if you really want to control a device remotely, make sure you are the only one that can access it. Change any default access credentials you can. Use strong passwords, and if you are really with it, apply multi-factor authentication to devices.
Ensure that you keep track of any updates that are available for device firmware and software and apply them to your own devices. Also make sure you keep yourself aware of any known vulnerabilities that can affect your devices. In addition, ensure that the device is configured as securely as possible. The rule of thumb is to turn off everything you can, and then only enable those features that you actually want.
Monitor these devices. Apply security monitoring software to them if you can. If not, monitor the devices yourself. Check the logs and see who/what is trying to touch your devices and if there has been any success. Also, consider making a special network segment just for IoT devices that has no direct connection to your other networks.
I know that most of you are groaning right now. I’m sure you already have plenty of tasks and considerations to occupy your time. But if you want the conveniences and the bells and whistles provided by smart devices, you need to pay the bill.