Greetings, and welcome. This week, a look at some research conducted earlier this year that you may have missed and that underscores recent reports of IoT-borne cybersecurity threats. One survey finds serious and easily exploitable cybersecurity risks in almost every available type of IoT device. Another attempts to scope the risk – and highlights the lack of control managers have over it. As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to firstname.lastname@example.org. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.
Your IoT Device Delivered to a Botnet – in 30 Minutes or Less
What Happened:Researchers at Israel’s Ben-Gurion University (BGU) bought more than a dozen off-the-shelf IoT devices to see how difficult it was to hack them. The results, announced in March, were disturbing.
- As TechRepublic reported, BGU researchers set out to determine how hard it is to discover the passwords, connections, and other information within an off-the-shelf connected camera. They found they could discover the camera’s default password and active services within 30 minutes of opening its box. They also found that the discovered information could be used to ensnare “all the cameras of the same make and model into a botnet.”
- The research team ultimately purchased 16 different connected devices, including baby monitors, doorbells, cameras, and temperature sensors. They were able to discover the default password of 14 of these devices.
- When many IoT devices are being built, developers and engineers test them via circuit board connectors called debug ports. To keep costs down, manufacturers often leave these ports in place when devices go into production. Access to that port provides what one BGU researcher called “backstage access” to a device – and all those like it.
- Once one device in a particular class has been compromised, others like it can be attacked and compromised remotely. And unlike computers and smartphones, many IoT devices sit undisturbed for months or years once installed and deployed. This means that few are likely to receive firmware updates or software patches that curtail or eliminate their vulnerabilities.
What It Means:IoT devices designed primarily for consumer deployments can be found in many offices and industrial facilities today. (Any connected appliances in your break room at work? How about security cameras watching your doors or loading docks?) And most of these include woefully inadequate security features.
What You Should Do:Include specific protection requirements in your rules and guidelines for connected devices at your organization. Implement tools and processes that get and keep your inventory of connected devices accurate, complete, and up to date. Seek out and try to deploy only those connected devices that incorporate robust security and receive at least occasional software updates from their makers. There is no IoT feature your organization needs badly enough to put the entire organization’s cybersecurity at risk.
Survey: Risk Pros Know IoT Devices Are Vulnerable to “Catastrophic” Incident, Yet Many Do Little to Defend Their Organizations
What Happened: A survey of risk and governance professionals finds them all too aware of the risks posed by their IoT deployments. The same survey indicates that many of those same professionals have little to know control or management of those risks.
- As TechRepublic reported in March, Ponemon Institute, supported by Shared Assessments, surveyed 605 professionals “who participate in corporate governance or risk oversight activities.” Shared Assessments, formed by leading global banks and financial services firms, focuses on third-party and vendor risk management.
- Among survey respondents, “97% said a security incident related to unsecured IoT devices could be ‘catastrophic’ for their organization. Another 60% expressed concerns that their businesses’ IoT ecosystems are vulnerable to a ransomware attack.”
- The risk is real and relatively imminent, according to survey respondents. “81% said that a data breach caused by an unsecured IoT device is likely to occur in the next 24 months.”
- While “46% said they have a policy in place to disable an IoT device that could pose a risk to their organization,” “Only 15% of those surveyed said they have an inventory of most of their IoT applications.” In addition, “Only 45% of respondents said they believe it’s possible to keep an inventory of IoT devices. Of that 45%, only 19% said they actually have an inventory of at least half of their devices.”
- What’s making IoT device inventories so difficult? According to 88 percent of survey respondents, the lack of centralized security control was a primary reason for not creating a full inventory.”
- Dealing with business partners isn’t helping any, either. “Nearly two-thirds of respondents (60%) said their company has a third party risk management program. While more than half said they rely on contractual agreements to mitigate any third party IoT risk, only 26% said they actually evaluate the IoT risk of third parties in their due diligence process.”
- All of this uncertainty is increasingly challenging as IoT devices proliferate in business environments. “The average number of IoT devices in the workplace is expected to increase to 24,762 devices—up from 15,874 last year.”
What It Means: Numbers from other research have shown that many business decision makers don’t even have a clear idea of how many IoT devices populate the networks at their organizations. (See “TWiTIoT: This Week in The Internet of Things – Government Moves and Shadow IoT Threats.”) The research cited above offers additional insights into just how little knowledge of and control over IoT devices risk and governance professionals really have.
What You Should Do: You can’t secure what you can’t see and don’t know about. If your organization lacks adequate tools and processes to discover, map, and know what’s connected to its networks, directly and via third parties, there’s likely trouble ahead. Do whatever you can to add those tools and processes before that trouble arrives at your organization.