A casino hacked through an aquarium heater* sounds like fiction—but this recent headline news was an all-too-real demonstration of the risk that Internet of Things (IOT) devices bring to organizations of all sizes.
However, take heart! There are ways that even small organizations can reduce or remove this risk with less effort and cost than you might assume. The keys are knowledge and the right toolkit.
As you may already be aware, small- and medium-sized organizations are prime targets for hacking. Not only does the proliferation of IOT devices has resulted in new and unique issues for information security, the issue is compounded due to misconceptions about the risk involved.
A rising threat to everyone’s information security is the diversity and number of IOT devices. IOT used to be just smart speakers, webcams and internet streaming video devices but now we can hardly keep up with the list of devices as varied as Fitbits, lightbulbs, and kitchen appliances. Incidents like the aquarium hacking demonstrate how difficult it can be to anticipate threats if you don’t have a proactive system in place.
These devices are a favorite tool of evil hackers—not just because IOT devices are invading our homes and businesses with little oversight, but also because they likely run on firmware and operating systems that are hardcoded in such a way that makes them difficult to update or secure.Scope and Statistics
Before we talk about solutions, let’s make sure we understand the scope of the problem beyond the simple anecdotes I have provided so far.
Worldwide, the number of internet-connected items will grow from 14.2 billion to 25 billion by 2021.** In the first quarter of 2019, Kaspersky researchers detected 104 million exploit attacks against IOT devices on their network, coming from over a quarter-million unique sources. That is up a whopping nine times from the same period last year (12 million).Issues and Awareness
The proliferation of IOT devices coincides with a number of new and unique challenges. For example:
- Specialized malware such as the “Nyadrop” toolset is being developed for attacking IOT devices making it even easier for hackers to create exploits.***
- IOT devices can contain malware before you even install them. Do not fall for the misconception that your firewall software will protect you from IOT issues.
- Some IOT devices can bypass all protections on a victim’s network. A few weeks ago, the University of Texas revealed that smart light bulbs can be connected to and controlled by infrared signals.
Reading information like this can make many of us feel helpless, but all the risks from IOT devices can be mediated with some knowledge, specialized tools, and planning. This taming of your “wild” IOT devices can likely be done with less disruption to your business processes and your budget than you might think.
Many of the risks from known IOT devices can be largely mitigated by reconfiguring the network equipment you probably already have in your company. However, you may have some unknown devices on your premises, as they can be simple items purchased and installed by non-IT professionals. For example, the casino that was hacked through an aquarium heater? That aquarium and heater were installed by a subcontracted service.
Specialized software can find these “unknown” devices on your networks. While these tools are expensive to buy and learn, this is where an assessor and/or trusted security advisor can come in handy. These advisors have access to these specialized tools, so you will not need to purchase and learn to use them.
Trusted security advisors will also know if some of your IOT devices can be made more secure with a reconfiguration of the devices themselves (reducing cost and network disruption) and can work out a quarterly or annual checkup to make sure you are still keeping your IOT risks minimal.
While you may be tempted to ban IOT devices, they are not going away anytime soon—or perhaps at all—and are being integrated into our basic business practices. Besides, as the aquarium incident shows, IOT devices can show up in some unexpected places. While outlawing them is likely to bring a false sense of security, a well-managed and regularly scheduled assessment is far more effective and less intrusive.
I would love to expound more on this topic but my smart coffeemaker in the breakroom is telling me it has ordered more medium roast and I have to go downstairs to sign for the package…
*DarkTrace industry conference session
** Gartner Research
***CyWare, 17 Oct 2019