Vulnerable IoT devices and low-cost, plug-and-play cyber-espionage tools represent an emerging threat vector: the ‘internet of evil things’ (IoET). Dave Porcello argues infosec pros need to better understand this threat and collectively develop a standardized framework and taxonomy to enable IoET information exchange
The line between personal and business communications has blurred beyond recognition. Business computing is no longer the beige box that sits on your desk or the company-issued PDA. Instead, today’s IT infrastructure is an unmanaged mix of company-issued equipment, personal devices (BYOD) and off-network IoT or ‘smart devices’ outside the ownership and control of the enterprise.
While device vendors rush to capitalize on consumer IT and the ‘internet of everything’, important questions are being left unanswered. How can such a diverse assortment of devices and technologies be effectively policed to ensure the security of our personal and business networks? How can personal privacy be maintained in a world where everyday objects are constantly recording the user's every move?
In a recent study, 83% of over 600 information security professionals indicated they were concerned about rogue and unauthorized devices operating within their organization without their knowledge. What’s worse, 69% revealed they are unable to even detect the wide array of computing devices currently in use across their enterprise.
Security professionals recognize this threat, but are still finding themselves unable to combat it effectively. With estimates predicting there will be up to 40 billion connected devices in operation by 2020, there is precious little time to develop effective defenses against this ever-expanding threat vector.
The Internet of Evil Things
The more internet-connected devices users carry, the more the attack surface of the network expands. It’s no longer enough to simply make sure the computers on the network are being policed; the threat vector is expanding well beyond traditional monitoring capabilities.
Today, the greatest threat stems from the expanding ‘Bring Your Own Everything’ trend: where personal smartphones, tablets, laptops, printers, mobile hotspots and other consumer devices are used for business communications. Often used without the organization’s knowledge or consent, these devices represent an unpoliced ‘off-network’ infrastructure referred to as ‘shadow IT’. These devices can act as a back door into corporate infrastructure, allowing an attacker to circumvent front-line defenses.
But the threat isn’t limited to attackers leveraging otherwise legitimate devices. As powerful computing devices get smaller and smaller, they become more practical as covert offensive tools. From home-built devices based on popular boards such as the Arduino and Raspberry Pi, to commodity tools like a pen-testing dropbox or wireless keylogger, there’s never before been such a wide array of hardware for attackers to chose from.
Collectively these varied threats are being referred to as ‘the internet of evil things’, or IoET, a collection of devices which may have been designed with the best of intentions, but can be turned against their owners. This plethora of high-risk consumer electronics and vulnerable ‘smart devices’ (aka IoT) presents one of the largest and fastest-growing threats in the security field. Yet by their own admission, most organizations are completely unprepared for it.
“Our collective knowledge of the IoET as it stands today is simply not sufficient”
Unified Front
The best way to combat an enemy is to learn as much as possible about it, but our collective knowledge of the IoET as it stands today is simply not sufficient. The rising tide is too strong for a single company or group to handle alone. The sheer volume of new devices released every year is too great, and the stakes are too high to trust such a monumentally important task to a select few. Identifying, researching, and documenting the wide array of high-risk hardware comprising this new era of connected devices can, and must, be taken on by the security community at large.
To this end, a standardized framework for documenting IoET devices should be developed to more easily exchange information between researchers, developers and consumers. This framework should allow quantifying elements such as the device’s commonality and potential for damage if misused. The time to come together to address this critical and ever-growing challenge is now.
Dave Porcello (@DavePorcello) is the founder & CTO of Pwnie Express, a leader in innovative device threat detection products