Networked dishwashers are, apparently, a thing – an insecure thing as it happens. Yet while Kellyanne Conway, who frighteningly is a ‘Senior White House Adviser' to President Trump, gets column inches suggesting a microwave can turn into a camera that spies upon you, the real threats from the Internet of Things are not in la-la-land.
They have already infiltrated themselves into the enterprise, if the latest Fortinet Global Threat Landscape Report is to be believed.
The biggest IoT threat to the network comes from printers and routers which topped the list for IoT-related exploit scanning activity. This means that the bad guys are actively looking for vulnerabilities in these enterprise staples to use for attack leverage, most commonly for DDoS botnet building.
Fortinet refers to this as an Army of Things, and by all accounts that's a pretty good description. IoT devices compromised by the Mirai botnet initiated multiple record-setting DDoS attacks. The release of Mirai's source code increased botnet activity by 25 times within a week in 2016, with activity increasing by 125 times by year's end.
Phil Quade, chief information security officer at Fortinet, warns that the threat landscape for organisations is rapidly evolving. “Threats are intelligent, autonomous and increasingly difficult to detect,” Quade says, “with new ones emerging and old ones returning with enhanced capabilities.”
All of this got us thinking here at SC Media UK as to whether enterprise security teams might be getting a little distracted by all the media reports of talking toys, cameras, televisions and even Trump's microwave when the real IoT threat is in the office already.
Let's start with those who agreed. “This question hits the nail on the head in regards to identifying the issues we are faced with when it comes to IoT security,” says Paul Marshall, chief customer officer at Eseye. “Simply put, enterprise security teams need to look at the bigger picture.”
Ian Parker, professional services consultant at Axians, picked up on the bigger picture theme revealing that “approximately 50 percent of employees think that their IT department isn't aware of all the company's connected devices, and 70 percent perceive their organisation as being at risk from a connected device-related security issue”.
Javvad Malik, security advocate at AlienVault, also thinks that “focussing on items that will never make it into the corporate environment can distract from looking at the real issues”. He does, however, also suggest that as Mirai showed us, poorly secured IoT devices can be used to attack enterprises, “so while the threat may be different, it can't be totally discounted”.
Corey Nachreiner, CTO at WatchGuard Technologies, also agrees that “security professionals get distracted by reports focusing more on the novelty of certain types of IoT devices” rather than the real underlying technical differences that make some IoT devices riskier than others. His point being that it's easier for the bad guys to target vulnerabilities in something running on a well-known underlying platform such as Linux.
Meanwhile Lawrence Munro, senior director for SpiderLabs EMEA at Trustwave, ponders that “when we do a pentest for an organisation, they're not likely to have a connected talking toy or smart dishwasher linked to their corporate networks”.
Another pen tester, Ken Munro who is a partner in Pen Test Partners, says that “the same security failings are cropping up regardless of the IoT device itself. Common issues that present themselves include the inadvertent exposure of seldom used protocols to the web, poor authentication or default credentials that are nigh in possible to change”.
As David Emm, principal security researcher at Kaspersky Lab, says, “Protecting against corporate attacks comes down to having a security strategy which covers every angle, not just the IoT dimension of security.”
It's a viewpoint mirrored by Destiny Bertucci, head geek at SolarWinds, who told us, “A corporate policy for IoT devices with a detailed, clearly defined framework should be in place, safeguarding businesses from the threats posed by printers and fridges alike.” And nobody is going to argue with that.
Some industry spokespeople, such as Robert Miller, head of operational technology at MWR InfoSecurity, think that the media coverage actually serves a useful purpose.
“We have actually seen the opposite reaction,” Miller insists. “Instead of companies dismissing or being distracted by attacks on IoT, they are starting to ask about similar devices on their networks.”
Professor Giovanni Vigna, CTO at Lastline, goes even further, suggesting that “the industry needs to stop looking at these devices as gadgets and start looking at them as regular endpoints, with the same security requirements of desktops and laptops.”
“While the majority of IoT devices do not represent a direct threat to enterprise,” Steve Nice, chief technologist at Node4, warns, “they may provide a new gateway into the enterprise. As the number of connected devices increases we'll see devices such as vending machines, washrooms and meeting room devices connecting to the corporate network to call back home.”
As Michael Downs, director of telecoms security at Positive Technologies, concludes, “The situation is only going to get more confusing as more traditionally dumb objects become connected and work their way into the enterprise, either officially or otherwise.
“For example, what is my security strategy if the CEO's car is connected via a compromised mobile network? If they make calls in their connected car, these could be eavesdropped on, not to mention an attacker having visibility of location and potentially even access to the car's management system. Security teams need to think big when it comes to the IoT.”