IoT Security: A White Hat Hacker Clarifies a Fuzzy Subject

Internet of Things device can be elusive. That is a fact Deral Heiland, who is the IoT research lead at Rapid7, knows well. 

For one thing, such devices tend to pop up in myriad environments — inside and outside offices and industrial facilities. 

“Shadow devices are very common,” he said. “These are the devices that sneak into the network or a technology that changes through time.” That is, devices that once had limited capabilities, like printers, refrigerators, thermostats, cars or industrial machines, can be become computers in their own right.  

Another contributor to the murkiness surrounding the subject is the term “IoT” itself. Heiland for one is not the biggest fan of the phrase. It’s an example of a marketing term vendors dream up to sell their technology, he said. “I don’t like the term ‘IoT’ because I think it’s misleading. When I talk to an enterprise organization, if I ask: ‘Do you have IoT?’ They may say ‘no,’ because they might think it refers to some home consumer toy. “They don’t understand that IoT is way beyond that.” 

To make sense of IoT devices requires looking at devices’ functions. “I have three major ones in my model,” Heiland said. The first is that the device needs to be an embedded technology. Second, to qualify as an IoT device, a product should leverage cloud and API  services to communicate over the internet. “And the third piece,” Heiland said,” is that “it has some management control capability.” 

In the following interview, Heiland talks about his experience working with manufacturers, local governments and others with IoT projects:

What is the motivation that drives manufacturers to reach out to audit the security of a forthcoming product? 

Heiland: It’s a branding concern. Manufacturers are thinking: “It’s our name on our product.” They’re starting to take security more seriously. The impact of a security breach is damaging to the brand. And companies that have a solid brand want to protect that. 

Often, companies with a lot of white-label technology that doesn’t have a brand behind it have the biggest security problems. They rarely have an effective patch management response.

What role should end users have in using IoT projects securely? 

Heiland: In a number of the stories [on IoT-related security attacks] I’ve seen, the breaches weren’t necessarily a defect in the product. In some cases, the end-user wasn’t using good passwords, or they were reusing passwords for everything, whether it’s for a bank account or an Amazon Echo. In cases like that, when passwords get breached or when they use simple passwords, there is an increased possibility of those IoT technologies being used by random people. 

Do you see a similar pattern of lax security on the enterprise side?

Heiland: Often, organizations don’t have policies and processes around new emerging technologies. In a large organization, you may have satellite divisions that may decide: “Hey, we want to leverage some IoT technology.” So then they go out and purchase it. The core company may not know that’s taking place. I’ve worked with Fortune 500s where that was a very common problem. I think organizations need to have solid processes in place that define what IoT means to them as an organization. How are they going to approach it? Are they going to embrace it? Are they not going to use it? In any case, they should define processes and also ownership of those processes. 

If you’re going to bring new emerging technologies into a company, who owns them? If you don’t have defined processes for those things, devices show up. And these devices don’t necessarily have an obvious footprint. So just scanning may not detect them. So that’s how a number of these devices sneak in, and you lose accountability. There’s no change control or change management processes. So things just show up on the network. And no one’s aware of it.

How would you describe the level of cybersecurity awareness of local governments with “smart city” ambitions? How good of a job are they doing at securing funding for security?

Heiland: At least some of the people I’ve talked to rely on vendors for security. Some of those companies come in and set up, run and control the project. They pretty much do all the work. So some cities don’t need to do anything other than find funding. 

Would you advise cities with limited budgets to work with vendors that can provide something like smart city functions as a service? 

Heiland: Yes. That makes more sense because most cities don’t necessarily have the resources to throw behind it. Everyone I’ve talked to [with a smart cities project] doesn’t seem to have enough of a workforce to maintain, manage and secure all these technologies. So in those cases, there I think smart-cities-as-a-service makes more sense. If you don’t have the resources to do it yourself, it’s probably better you don’t try. 

What is Rapid7’s business like in the smart home space? 

Heiland: We do a number of things. We at Rapid7 have an entire service arm within the company in addition to our products. The service arm does pen testing and offers advisory services and forensics. On the pen test team, we have a number of people who are trained to do assessments on IoT technology. And we’ve done everything ranging from medical to [industrial control systems] environments, to consumer products. A lot of times with consumer products, companies that are going to market with something, they want to have it tested first. Or if it is something that’s already in the market, companies call us to check it after, say, a scare on the internet. You’re thinking: “Hey, we haven’t really had that tested. Maybe it’s time we do that.”

Do you also work with companies on procurement of IoT devices?

Heiland: We’ve done a couple of small type assessments related to pre-purchasing IoT technologies or enterprise technology. 

Most of the time, manufacturers reach out to us. That’s the biggest bulk of the type of work we do. And literally, we’ve done everything. 

What are some of the most significant vulnerabilities you often see when you’re looking at IoT security? 

Heiland: It’s essential to understand the three pieces that come into play when you start thinking about IoT security. [That includes analyzing its embedded technology, cloud and API services, and management control capability.] Hardware security is one thing, but I can still attack or control that device if you have flaws in your APIs. And I can attack that device if you have flaws in your management control applications, whether it’s a mobile app or an application on a server. Each of those can have vulnerabilities. You have to think about the entire ecosystem. 

Can you explain how an attacker who gains access to an IoT device can use it as a pivot point for a future attack?

Heiland: One example of this was an assessment where we were able to do that on high-end IP cameras used by a large, state-level organization. We were able to compromise the cameras because of poor security, and then actually pivot through the cameras through other cameras into isolated segments. The segmentation firewalls allowed them to communicate, so we just pivoted through those. 

Another example was with multifunction printers. We compromised one of the machines on the DMZ. But it had no connectivity to the entire network, but it had access to the printer. I built a custom payload [for a colleague to take advantage of] the functionality of that device. We sent that payload to a printer and the printer phoned out over the internet and gave us a tunnel into the corporate network.

Where do you think we are now in 2019 with IoT adoption? 

Heiland: I think it’s unavoidable. Go out and try to by a not-smart TV. We’re going to see more and more cases where IoT technology is built in. We’re going to get it whether we wanted to not. Eventually, there’s not going to be a “dumb” option.

Do you think the public’s attitude about IoT security is often different from how they see the security of devices like computers and smartphones? 

Heiland: People are often totally paranoid about a lot of IoT technology, but yet they’ll carry their camera into the bathroom with them, or into their bedroom. 

And I think that’s critical that people think about things like that. I encourage people to use the latest smart technology. It is convenient as hell but use it wisely. 

For instance, IP cameras for security are brilliant. But do you really need them in the house? And if you’re going to put them in a house, understand the implications.

We [across society tend to be] good at doing our homework when we get ready to buy a new car or a new phone. You look online and check out all of the features and stuff like that. 

When you get ready to buy any new tech, go out there and start asking security questions. Start looking to if this manufacturer has had any vulnerabilities. That in itself is not bad. But what was their process for patching? Was the timeline reasonable? Go out and grab the smart TV manuals — all of them are available online — and start searching in there for information on security. If you sell a TV, is there a defined process for how desync it from the internet and your accounts? 

IoT devices can create new types of safety concerns. What are you thoughts on this topic?

I think there’s safety things you need to be concerned about. You could have a pressure cooker that has Wi-Fi — a microwave, a washing machine or a refrigerator. Devices like those as well as ovens and garage door openers are kinetic devices. They produce some type of energy, whether it’s movement, or heat that will be a potential risk. So an extra level of security needs to be applied to that to make sure that those things can’t be impacted.

All the ones I’ve looked at it so far have been good. I went out and got one of the Amazon microwave ovens with voice control. I purely wanted to check to see how they’re doing it. And it was pretty solid. The initial voice command would work. But once you shut the door, it had features to prevent somebody in your driveway to walk up to your door and scream: “Alexa, microwave full power for three hours.” [Laughs]