Today I bring you a cautionary tale, courtesy of a customer. The moral of the story is this. Remember to include IoT devices in your cybersecurity program.
“IoT devices?” you say. “We do not have any of those!” I bet you have more IoT (Internet of Things) devices than you realize. IoT devices are like cans of garbanzo beans in your kitchen pantry. They seem to accumulate, even if no one can remember bringing them home.
IoT Devices You May Own
An IoT device is any device that can talk to the Internet. Technically, that means any device with a processor and a radio. You may prefer to think about IoT devices in terms of what information they collect and report on. Here are some examples.
- Smart door locks
- Smart doorbells
- Security cameras
- Meeting room signs that display room availability
- Temperature sensors
- Motion detectors
Yes, when you include IoT devices in your cybersecurity program, you have a lot of ground to cover!
The Tale of the Compromised NVR
One of our customers discovered a compromised IoT device on their network. He was kind enough to share what happened in case it would benefit others.
Our customer has a network video recorder (NVR), a video recording device that records activity at the customer’s office. The organization has a hybrid return to work policy, so there are periods when few staff or no staff are around. The customer needed a solution to capture access/entry to the office and settled on an NVR.
So far, so good.
Except that, as often happens, the customer neglected to consider IoT devices when thinking about where to focus their security attention. We frequently see this. Not only is it easy overlook IoT devices, but it is also easy to think these devices do not present an information security risk.
In our customer’s case, they did not include IoT devices in their regular software update process. Because the customer does not have 24/7 monitoring, they did not discover the attack until they happened to check on the network the morning after the attack started.
The customer was able to take the NVR device offline (by disabling the port it was connected to). Their building security partner updated the NVR’s firmware. The customer moved the NVR to a new VLAN. They also blocked installation of any remote access, proxy, or P2P software on the NVR. The Intrusion Protection System blocks suspicious NVR traffic as well.
What Could Have Happened?
Perhaps you do not include IoT devices in your security program because you do not think they can cause any harm. You may want to reconsider your position.
- Attackers have been known to “enlist” IoT devices in Distributed Denial of Service (DDOS) attacks. Imagine thousands or millions of pings hitting your server.
- Are the IoT devices storing information that is sensitive or confidential? By itself, the data on an IoT device is not too useful. But what if it could be used to create a spear-phishing attack? Lack of motion outside the CEO’s office might mean they are working out of the office today. This would make a gift card scam (“I need you to do me a favor. And don’t tell anyone…”) easier to execute.
How to Include IoT Devices in Your Cybersecurity Program
I see I have your attention. Here are some tips to manage IoT device security.
- Inventory your IoT devices. Other departments may have purchased IoT devices, so you must look beyond the IT Department’s purchase records.
- Create a plan to keep IoT firmware up to date. We have seen in recent security assessments that printers and other (simpler) devices have struggled to keep their TLS (Transport Layer Service) software at Version 1.2 or higher. TLS has a serious deficiency below Version1.2 that attacker have used to exploit networks. Expect to take your IoT vendors to task over timely firmware security updates.
- Isolate IoT devices from other network assets. Include your IoT devices in their own VLAN (or multiple VLANs for diverse types of IoT devices). Block the ability of hackers to move laterally across your network.
- Lock down your IoT devices. This is especially important if the data stored on those devices would be valuable to an attacker. Double-check what ports need to be open (and when). Disable remote control software installation.
If you want to read up on other IoT security tips, see this article from Trend Micro.
Accept IoT—On Your Terms
IoT devices are not “coming.” They are already here. IoT devices can provide valuable telemetry about your physical environment. They enable creative solutions to office needs. As one example, I read about a system that tracks insolation (level of sunlight) hitting the building windows and automatically adjusts window shades to reduce the need for extra air conditioning.
As you include IoT devices into your networks, remember to include them in your cybersecurity planning as well.