A cybersecurity researcher reflects on IoT in 2017 and beyond

A cybersecurity researcher forecasts the state of IoT in 2018

While many enterprise companies struggle to understand or even precisely define what IoT is, the growing number of connected devices is setting the stage for a significant security breach in 2018, warns a senior cybersecurity researcher.

Written by Brian Buntz
6th December 2017

Deral Heiland is not the biggest fan of the term “Internet of Things.” He may be the IoT research lead at cybersecurity firm Rapid7, but Heiland says, all too often, the phrase “Internet of Things” conjures up fuzzy associations of consumer-facing connected gadgets that obscure the security risk the technology can pose to enterprise companies.

As a case in point, the cybersecurity researcher points to a webcast he participated in earlier this year with the IT GRC Forum, which asked its audience of governance, risk management and compliance if their organization had IoT devices on their networks? Nearly half — 48 percent — of attendees responded with “no.”

But the thing is, IoT technology, or “Internet Embedded Technology” as Heiland prefers to call it, is nearly everywhere — from the smart TVs that are ubiquitous in boardrooms, to the multifunction printers churning out documents throughout the day. Teleconferencing systems, security cameras, wireless lighting controls and HVAC systems also fall under this umbrella. So in reality, the number of companies that can honestly report they have no IoT devices on their network is near zero.

We asked Heiland to come up with cybersecurity predictions for 2018. In his analysis, which follows the first heading below, he warns the widespread deployment of connected embedded technology — and the lack of awareness of it — could lead to a significant security incident in the coming year. The cybersecurity researcher also touches on the question of privacy, providing examples of potentially obtrusive device vulnerabilities.

Insecure IET devices could enable a major breach in 2018

With the ever-expanding influx of Internet Embedded Technology (IET) within our businesses, such as printers, conferencing solutions, building security technology, HVAC, automated lighting and other various consumer-based IoT technologies, I would not be surprised if we see these technologies take center stage in a major breach in 2018. Currently, no large breaches have been centered directly around IET.

I see two ways these technologies could play a role in a breach. One way is indirect, where a business has been previously compromised and the IET is then compromised as a secondary phase and used to hide the malicious actors’ presence as an advanced persistent threat (APT) on the network. Unfortunately, these technologies are not monitored and are often overlooked when it comes to a healthy security environment, making it very practical for them to be used as an APT. The second way I see IET being used for a breach is direct, as many IET solutions have some form of direct access, including IP exposure to the Internet, WiFi capabilities and radio frequency (RF) functions (Zigbee, Z-Wave, Bluetooth, BLE, etc.). I see malicious actors using these communication services to compromise the IET devices to gain a foothold on business networks. With this, these individuals can then silently hide on corporate networks, be able to launch direct attacks against other critical systems and conduct an exfiltration of data off the networks in a stealthy way by taking advantage of the lack of IET monitoring.

[IoT World demonstrates how the next generation of IoT will converge to unlock the intelligence of things in the industrial, enterprise and consumer realms. Get your ticket now.]

With a growing voice-activated and controlled IET market, I expect to see more complex and impactful security exploits targeting the voice control services within these technologies. Currently, products such as the Amazon Echo and other Alexa devices prevent the opening or turning on of security-related devices, such as door locks or garage door openers. However, if a product has multiple uses, such as on/off switch capability that can also be used for garage doors, this may not apply. It’s important to consider all manufacturers trying to enter the voice control market, and determine whether they are following the same due diligence. With all of this in mind, I expect to see a number of interesting voice-control vulnerabilities in 2018.

Moreover, as attack vectors against embedded technology continue to mature, I expect we will start to see more issues in 2018 related to the hardware. These issues include vulnerabilities specific to the chipsets deployed on embedded devices. The impact around such vulnerabilities will bring to light the growing need for better supply chain tracking. Currently, if there is a serious vulnerability discovered within a specific chipset, we cannot effectively track down the devices in the wild with those chips installed. To add more confusion, chips are now traded as commodities. This means that when a typical device manufacturer is building a product, they will tend to use the least expensive chips available that meet their product need during the manufacture run. Once these are used up, the next option is to then purchase the next block of chips based on what is the least expensive at that time, which may not be the same chips as first run.

Internet embedded devices: a stalker’s dream come true?

One topic the industry should have studied thoroughly, but has not, is privacy. We continue to see growth in the markets around internet-embedded video camera technology such as robotic vacuums, security systems, smart TVs and smart toys. We also continue to deploy such technology into our homes without considering the privacy implications. Typically, I see no issue with the deployment of security cameras around the parameter of the home, but I do find deployment in interior living spaces a potential privacy risk. Combining that with discovered vulnerability and exploitation brings about and a serious issue.

Examples of privacy-eroding exploits include:

An inexpensive web camera with a backdoor account, vulnerabilities to botnet attacks and more.
A cloud-accessible camera vulnerable to a denial of service attack. The camera can fail to record when a person enters into a house.
And a hacked home robo-vacuum that can spy on family members.

In 2018, we should demand good patching hygiene from IET vendors

Another important lesson we have learned this year is the importance around the ability to remotely deploy security patches to IET. Like all software, firmware is going to have bugs and vulnerabilities, and it’s important to have a reliable and secure method to update that firmware. So, at a minimum, we should expect and demand that capability from all IET manufacturers. For example, this year the National Telecommunication & Information Administration (NTIA) conducted a Multistakeholder Process related to Internet of Things (IoT) Security Upgradability and Patching. This process’ goal was to help with the identifying the need for a secure lifecycle approach to IoT devices, in which IoT technology support security upgrades through increased awareness and understanding by consumers and manufacturers. A few of the valued documentation created out of this process are: