The Internet of Things (IoT), a phenomenon of everyday Internet-connected devices ranging from smart appliances to webcams and routers, is making the lives of companies, governments, and households more efficient and data-driven. However, these devices also present a new vulnerability into the networks they are a part of, creating novel cybersecurity concerns beyond traditional IT equipment. The Cipher Brief spoke with Colin McKinty, the Vice President of Cyber Security Strategy, Americas at BAE Systems, about how IoT devices create yet another attack vector into sensitive networks and what can be done to mitigate the potential harm caused by the inevitable incidence of a breach.
The Cipher Brief: How are criminals able to breach Internet of Things (IoT), devices and what are their intentions once they gain access?
Colin McKinty: There are different routes that criminals can get access to IoT devices. The simplest method is leveraging default passwords that are readily available on the dark web. Consumers that are buying and using these devices can make a difference by using good security practices and changing default passwords.
The second method is actually looking at weaknesses that can be exploited in the software and the hardware themselves. This involves research and reconnaissance—often done by purchasing these devices and experimenting on them to work out how they might be able to circumvent any security that might be there. Then attackers often custom make their own malware to exploit those weaknesses.
TCB: We have seen large-scale distributed denial of service (DDoS) attacks facilitated by botnets of IoT devices that amplify their disruptive capability. Is it possible to mitigate these attacks by changing default passwords or shoring up their hardware?
CM: It is very hard to say with a 100 percent assurance that a company can solve the problem or block the attack vector. The same is true with IoT devices. There is no magic bullet out there that will remove the threat from IoT devices, but we can lessen the impact and make it harder for the attackers. This comes down to educating the consumers about changing default passwords, but it also comes down to the manufacturers to increase their testing and research on their devices to ensure that they can be secured as much as possible.
Also, if a company brings in standard IT equipment or IoT equipment, they need to know where that equipment is coming from and what opportunity there is for malware to be placed on it. There is a due diligence step when buying these devices. Companies have to consider where they are buying equipment from and what risk, if any, that represents to their organization.
Anyone can go to the darknet where there is the commercialization of cybercrime. One doesn’t have to be a high-end hacker or coder anymore to actually mount sophisticated cyber attacks. If they have a credit card, or some way of payment on the dark web, then they can go in and buy a lot of these capabilities—rather than requiring attackers to create them.
Ultimately, attackers are often well funded, smart, and able to get their hands on these devices, and given enough time, it is possible that they will find a way through security measures that are being put in place.
TCB: What kind of impacts do you see coming from breaches in IoT devices?
CM: We know that attackers can be opportunistic. From a commercial perspective, companies are looking to embrace IoT devices to drive forward their business. Consumers want to interact in different ways, and IoT gives another way for a commercial entity to interact with their costumers or prospects. So there is a business opportunity there.
But that business opportunity is also one for would-be attackers. Organizations need to see this as an additional threat vector—whether they are considering threats from insiders, dealing with concerns of DDoS and phishing, or considering how attacks might impact their business. IoT devices simply become another threat vector that companies have to build into their risk calculations.
TCB: We hear a lot about the increasing prevalence of ransomware. Is this a threat that affects IoT devices as well?
CM: Most of the ransomware that we have seen has been about more traditional IT. It has been about encrypting data stores and locking it away so that it is unusable until the ransom is paid. But attackers have to get that malicious code, that ransomware, onto the network in the first place. Therefore, IoT devices connected to a network could be one of many ways that an attacker might try to install ransomware and encrypt important data.
The important thing to understand regarding IoT devices—and the risk they represent—is what devices do companies actually have connected to their networks. What type of devices are they? What access do they have? How are they connected into the network? Once companies understand this, they can analyze what sort of risk that presents if the IoT device is taken over.
For example, if an IoT device is connected to a company’s core network, it can have access to their critical assets. So if that device is taken over by a hacker, it presents a huge potential impact to their core business. It is important for organizations to determine where that device is inside their network and ensure that it only has access to the things that it needs to have access to, limiting the damage it can do if the device is corrupted or taken over in some way.
TCB: A lot of cyber attacks seem to be based on social engineering mechanisms. What are some of the social engineering approaches to breaching IoT devices?
CM: As with most social engineering attacks, it comes down to reconnaissance, where attackers try to find out everything they can about a company or employee by leveraging social media, like LinkedIn and Facebook, and then using that information to communicate with them to gain access to sensitive information, like passwords or user names. For example, there might be a user who is not using a default password and therefore social engineering could be a method to get that password from them to then crack that IoT device.
It is similar to phishing. If we think about phishing as another attack vector for organizations, the social engineering and reconnaissance phase plays a really important role. This goes back to educating people on how to look at their emails, whether they are employees, an organization, or just general consumers.
Historically, companies often adopted the approach to security where if they build their walls thick and high with the hope that they can hide behind them. But the reality of the situation—not just because of IoT, but also other attack vectors—if someone really wants to get inside your organization, they will absolutely find a way to get in. From a security perspective, this means we need to strengthen capabilities around monitoring inside company networks—as well as on end-point devices—to find extraneous activity. But companies also then need to be able to respond to that activity as quickly as possible. These two capabilities are described as the time-to-know and the time-to-respond. A lot of breaches go undetected for a significantly long time, and the longer an attacker is inside a company’s network, generally the more damage they can do.
This is also true if we introduce these new type of attack vectors through IoT—using that as a way to get into a network—companies still have to have the capability to find them, respond to what they are doing, and prevent harm to their critical assets. This is how companies should think about how to deal with IoT devices—not just directly with it at the IoT device or through network segmentation—but also look more broadly at their security capabilities, including internal network and end-point monitoring.
Reducing that time-to-know and time-to-respond is fundamental to managing risk.