Viewpoints

Pushing back against IoT attacks intensified by Covid-19

Byron Acohido, 5 November 2020

An unprecedented collaborative effort is vital to stop the plundering of IoT systems

The Internet of Things (IoT) has come a long, long way since precocious students at Carnegie Melon University installed micro-switches inside of a Coca-Cola vending machine so they could remotely check on the temperature and availability of their favorite beverages.

That was back in 1982. Since then, IoT devices have become widely and deeply integrated into our homes, businesses, utilities and transportations systems. This has brought us many benefits. And yet our pervasive deployment of IoT systems has also vastly expanded the cyber attack surface of business networks, especially in just the past few years.

And now Covid-19 is having a multiplier effect on these rising IoT exposures. Nine months into the global pandemic an ominous dynamic is playing out. Remote work and remote schooling have spiked our reliance on IoT systems to a scale no one could have predicted; and much of this sudden, dramatic increase is probably going to be permanent. In response, threat actors are hustling to take full advantage.

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.

However, this will require a concerted, proactive effort by the business community   enterprises and small- and mid-sized businesses alike. Individual citizens, consumers and workers have a big role to play as well. Each one of us will have to cooperate and make sacrifices. A lot is at stake. Here’s what all companies and individuals should fully grasp about our IoT systems under attack, post Covid-19.

The mainstreaming of IoT

IoT very clearly has gone mainstream. We’ve surrounded ourselves with embedded sensors continually transmitting data across the internet. IoT devices help remotely control our household appliances, power plants, smart buildings, factories, airports, shipyards, trucks, trains and military.

And we’re just getting started. On the immediate horizon, IoT systems will bring us autonomous vehicles and something called “digital twins” – virtual representations of physical objects infused with artificial intelligence. I recently heard Dr. Joe Alexander, a distinguished scientist at NTT Research, describe the astounding work he’s doing on a digital twin of a human heart that someday will crunch data to help diagnose and treat cardiac disease.

The challenge of the moment is that many companies already have their hands full trying to improve their security posture as they migrate their legacy, on premises, IT systems to the cloud. IoT risks have been a low-priority, subset concern. But now Covid-19 has shoved IoT exposures to the front burner.

“Too often we see companies with strong security policies and tools to protect employee corporate-owned endpoints lacking any security oversite for IoT and mobile devices,” Chris Sherman, senior industry analyst at Forrester told me.

Sherman opines that there is a huge IoT visibility gap that must be narrowed. I agree. Most companies have only a vague sense of all of the IoT sensors tied into their networks, and each device represents an access path beckoning intruders. The shutdown of businesses and schools due to Covid-19 added a sudden influx of tens of millions more consumer IoT devices connecting to corporate networks, intensifying this exposure.

A candy store for hackers

A recent Forrester workforce survey showed that by mid 2020, 58 percent of corporations worldwide had at least half of their employees working from home, where an average of 11 devices lurk -- connected to the internet. You can add to this all of the schools, colleges and universities forced by the pandemic to conduct classes remotely.

“We have an expansion of the number of devices in the IoT ecosystem, and we also have an increase in the time that consumer IoT devices are spending on the same network as work devices,” Sherman says.

To malicious hackers, it’s like getting dropped off at a candy store that’s giving away free treats. The operating systems of home IoT devices today typically get shipped with minimal logon security. Hacking collectives are very proficient at “exploiting weak authentication schemes to gain persistence inside of a targeted network,” Sherman says. “Once they gain a foothold, they can move laterally and gain access to other enterprise assets.”

IoT-enabled attacks on home and business IT networks are not just theoretical; they have been steadily escalating for at least the past three years.

The infamous Mirai botnet self-replicated by seeking out hundreds of thousands of home routers with weak or non-existent passwords. From there Mirai spread voraciously between other types of consumer IoT devices, as well as corporate computers. Mirai ultimately was used to carry out massive Distributed Denial of Service (DDoS) attacks.

IoT botnets today continue to carry out DDoS attacks and also routinely get deployed to distribute Banking Trojan malware as well as to carry out Man In The Middle (MITM) attacks. The VPNFilter botnet, for instance, compromised weakly protected home routers, which were then directed to steal logons from employees as part of go-deep breaches of targeted companies.

The breach of a CFO’s home smart speaker

Through the course of 2020, IoT-enabled attacks have manifested new wrinkles. In one very recent caper, the attackers targeted the CFO of a financial services firm, as he worked from home, Sherman says. The attackers successfully got a foothold on the exec’s MacBook. But try as they might, they were unable to achieve their main goal, which was to gain control of the MacBook’s microphone.

So they did the next best thing instead; they located and took control of a smart speaker tied into the exec’s home network via a Bluetooth connection. With control of the exec’s smart speaker secured, the attackers were able to achieve their objective to eavesdrop on the CFO’s private conversations.

This is a sign of IoT attacks to come. We’ve embedded helpful IoT devices in household appliances, environmental controls, health trackers, media and gaming devices, surveillance cams, building access systems, medical devices, even connected cars. Clearly motivated hackers are going to continue plundering these fresh attack vectors.

“Sometimes we don't even realize how many of our devices today have audio and video recording capabilities,” Sherman says. “Concern for IoT-assisted types of attack is especially high in the healthcare sector, where you have a lot of HIPAA-protected conversations being picked up by home devices.”

Mike Nelson, vice president of IoT security at DigiCert, pays very close attention to the systemic vulnerabilities of IoT systems deployed by the healthcare sector. DigiCert is a leading supplier of digital certificates and related security services. It’s Nelson’s job to help companies address IoT risks – but he also has a very personal stake. As a Type 1 diabetic, Nelson continually gets readings on his smartphone transmitted from an IoT device he wears on his leg that continually monitors his blood sugar level.

A hacker mucking around, for whatever reasons, could purposefully or inadvertently alter or disrupt data flowing to such systems, with potentially devastating impact on diabetics like Nelson. The same holds true for any patient getting critical care, for any type of illness, that relies on data routed through IoT-enabled systems.

“Hospitals are onboarding data from wireless infusion pumps that provide critical treatments to patients,” Nelson observes. “These pumps connect to many different systems, including the network. If left unsecured, a malicious actor could come into the hospital, discover the device on the network, and take control of the device – potentially infusing lethal medication into a patient.”

Automatic trust is no longer an option

IoT system intrusions present a clear and present danger beyond the healthcare sector, of course. Companies of all sizes and in all sectors are exposed, as long as they utilize weakly-configured IoT systems to make critical operational decisions, remotely and in real time.

“Inventory trackers, temperature controls, or any type of IoT device that is gathering actionable data are at risk of an attack,” Nelson says. “The hacker either embeds malware on the device causing it to report inaccurate values, or, the hacker performs a man in the middle attack and manipulates the values as they are passed from the device.”

Because IoT systems have gone mainstream without paying enough attention to security – and especially now as usage of IoT systems is spiking, due to Covid-19 -- companies across the board need to make a hard pivot. Gaining visibility of all IoT devices needs to become a top priority. This will naturally lead to implementing more robust identity and access management (IAM) controls and much closer monitoring of sensitive data flowing through IoT systems.

“Organizations need to move away from automatically trusting a device,” Nelson says. “They need to know what devices are connected to their network and then make trust decisions based on where the device is coming from and what the device is doing; assessments need to be continually made about the value a device is adding and the risk a device presents.”

This is not just all up to the company. Employees working remotely must assume a level of responsibility and do what they can – from here on out – to improve the security posture of IoT devices and their home networks.

Yes, this means more work and less convenience at the individual level. Each one of us, in effect, must assume the role of security technician and security auditor for each of our home IoT systems. This can entail things like learning how to change weak default passwords on our home routers and other IoT gadgetry; using multi-factor authentication as widely as possible; and more rigorously practicing secure, if sometimes tedious, password management habits. This includes refraining from using a work email to sign up for random online accounts or web apps. Each one of us actually needs to start paying close attention to our digital footprint.

A larger security role for employees

Companies can help workers by providing effective training; plenty of robust security training tools and services are out there. What’s been in short supply is leadership to proactively foster a security culture, from the board room on down. Going forward a truly collaborative effort between management and line staff is going to have to gel. Forrester polled more than 10,000 IT workers for its workforce survey, conducted this past summer, and found 54% of employees prefer to handle security on their own, while the rest either aren’t sure or prefer their employer to take care of it.

“While the employees must follow the policies laid out by their employer’s security team, ultimately it is going to be up to the enterprise to adapt to the employee’s network, rather than the other way around,” Sherman says. “This is why it is important to build employee training for consumer IoT devices into security awareness training programs.”

For instance, a couple of progressive hospitals recently enacted policies requiring all clinicians to disable any smart speakers in any room they happen to be in while delivering virtual care; this is part of training them about best security practices for IoT devices. The aim is to help assure that the clinicians aren’t verbally sharing protected health information over nearby IoT devices that might be hacked.

2020 has been a year of tumultuous, unimaginable developments. And it’s not over yet. Perhaps the sudden spike in work-from-home and schooling-from-home scenarios will jolt companies and consumers into pulling together on cybersecurity. I hope so.