#infosec15: Internet of Things Opens Door for Attackers

Written by

Leading provider of network security and DNS services, OpenDNS, is warning that the increased demand for the use of internet of things (IoT) devices in the enterprise is creating new attack vectors, and opening new avenues for faster exploitation.

The adoption of IoT will only gain momentum, said IDC in its research papers Worldwide Internet of Things Taxonomy, 2015 and Worldwide Internet of Things Forecast, 2015–2020, predicting that the market will grow from $655.8bn in 2014 to $1.7trn in 2020 with a compound annual growth rate (CAGR) of 16.9%. Devices, connectivity, and IT services are expected to make up the majority of the IoT market in 2020, with devices (modules/sensors) alone representing 31.8% of the total.

These predictions were backed up at Infosecuity Europe 2015. OpenDNS director of security research Andrew Hay said that IoT devices were moving to the corporate environment just like smartphones and tablets did.

Yet he warned that the risks from such wide penetration were increasing even in some of the world’s most regulated industries, including healthcare, energy infrastructure, government, financial services and retail. Moreover, said OpenDNS, even sanctioned IoT devices are increasingly operating outside the control of IT departments because they rely on cloud-based and hosted network infrastructures. Many companies are basically under-prepared for their use. Indeed, the survey also shows that nearly a quarter of respondents had no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s networks.

The research was undertaken between February and April 2015 across 56 vertical industries, half of the sample having over 2500 employees. Rather worryingly, it found that users were connecting up consumer devices offering negligible corporate benefit, such as Dropcam internet video cameras, Fitbit wearable fitness devices, Western Digital My Cloud storage devices, various connected medical devices, and Samsung smart TVs — home, said Hay, to a “whole bunch of chatty domains” when made Wi-Fi available. These devices continuously beacon out to servers in the US, Asia, and Europe, even when not in use.

This was leading to some infrastructures hosting IoT data from devices that people increasingly bring into the workplace; these are susceptible to patchable vulnerabilities such as FREAK and Heartbleed. Indeed, highly prominent technology vendors were seen to be operating their IoT platforms in known “bad internet neighborhoods,” which places their own customers at risk. The audience at Infosecurity Europe was audibly alarmed at hearing that FREAK vulnerabilities were found most in energy, media and utilities.

Hay then went through a roll call of the most vulnerable networks and systems, with the Axeda cloud-based server system figuring highly.  Not only did the research show it vulnerable to FREAK, but also to Poodle and wildcard attacks. In what could be a nightmare scenario for corporations, Hay postulated that smart TVs, popular in boardrooms as presentation devices, could be controlled by unauthorized outside agents who could potentially gain access to confidential corporate information as it was presented. The same, he said, was potentially true for My Cloud devices.

In a call to action, Hay advised that it was critical that those charged with protecting networks get out in front of a growing issue. He added that IoT-enabled devices should be regarded and managed like any other equipment connected to the internet and closely monitored to provide warning signs of an attack.

What’s hot on Infosecurity Magazine?