The Surveillance Invasion: IoT and Smart Devices Stealing Corporate Secrets

Chris Clements, VP of Solutions Architecture at CISO Global

In an age where manufacturers have decided that just about every device needs to be “smart,” it’s becoming difficult to avoid the data collection and privacy invasion that are often baked into these devices. We have come to expect that smart phones and speakers with built-in digital assistants are always listening, and data collection practices between companies can vary significantly.

That’s not where the story ends though. These smart devices often have vulnerabilities, both in how the manufacturer handles the data, as well as flaws in the products that expose users’ data. For example, Apple’s Siri was discovered to be sharing data with contractors as part of a quality control program. But it’s not just an issue of data sharing: Amazon’s Alexa has been found to have vulnerabilities that could allow an attacker to eavesdrop on conversations or install malicious “skills” as well as other vulnerabilities that expose user data. LG smart TVs were similarly found to be vulnerable to authentication bypass and privilege escalation attacks that threaten businesses that have these devices on their corporate network. Google Android TV devices can expose sensitive data about a user’s Google account including Gmail account access by sideloading the Chrome Web Browser on a device a person has previously signed in on.

These examples may be overkill, but I list them to point out that these risks are seemingly ubiquitous, and those vendors are generally considered some of the most security conscious organizations. Smaller — and, especially, cheaper — IoT or smart device manufacturers typically fare much worse, not only on preventing data misuse and vulnerabilities, but they also lack quality ongoing support and maintenance to remediate when issues are discovered. These realities create situations where company systems and customer information can be put at risk.

Organizations that lack policies or controls to vet IoT devices cannot gauge the security risk of the device manufacturer and the deployment scenario.

Risks: Unsecured Devices Create Open Doors for Hackers

Remember, the “S” in IoT stands for security. 🙂

The first area of risk to consider is that the use of insecure IoT devices creates opportunities for threat actors to establish footholds into corporate environments. Many IoT devices come with known default or weak passwords that make them trivial to take control of by attackers (compared with many IoT devices, I’m pretty sure my grandma’s Facebook password is stronger.) Some of the largest botnets ever, such as Mirai, primarily rely on exploiting known default admin credentials. This allows the botnet operators to launch further attacks using their army of compromised devices to launch DDoS attacks on other victims.

The problem with insecure protocols in IoT devices goes beyond weak default passwords.  Many of these devices simply don’t support the strongest encryption methods for transmitting data over networks, if they use encryption at all. Lack of encryption during transmission exposes sensitive information. Hackers can exploit this vulnerability by eavesdropping (think man-in-the-middle attacks) and stealing authentication details or other critical data.

Aside from insecure default accounts and configurations, software quality is notoriously bad on IoT devices, especially those made by smaller and cheaper manufacturers. Software quality issues often lead to vulnerabilities that can be discovered and exploited by attackers, sometimes without even needing to know the device’s password. While it may be tempting to think that IoT devices, such as smart TVs, don’t have sensitive information on them, certain scenarios can still expose data. Did you happen to join the TV in question to the corporate Wi-Fi network? If it shares the same wireless network and password as your employees, it could potentially allow an attacker access to further explore the Wi-Fi network. The bottom line is these vulnerabilities open doors to threat actors, giving them footholds from which to launch further attacks against the organization, or to use that access to target other vulnerable customers or companies.

To ensure that the use of IoT isn’t putting your organization at risk, it’s important to vet the security maturity of the manufacturer and the device in question. Does the device have any hardcoded passwords an attacker could use to access it? Does the device support the strongest encryption settings, and can it be configured to enforce the stronger settings as well as other cybersecurity best practices? Finally, has the manufacturer committed to, and — more importantly —demonstrated through past actions, patching any vulnerabilities as they are discovered?

Risks: Data Privacy

Another major concern with IoT devices is how manufacturers handle the data they collect. Imagine those cheap network cameras everyone jokes about offering “free ongoing monitoring.” The punchline? That data — video, audio, everything — might be getting shipped back overseas for who knows what purpose. Espionage? Selling it to advertisers for targeted campaigns? Even worse, it could all be ending up in an open cloud storage bucket, completely accessible to anyone with an internet connection.

What, how, and where a device transmits data presents multiple avenues of compromise. It’s incumbent on organizations to understand exactly what data is being collected by the IoT devices in their environments. This is important both in the office and remote work environments. For example, company policy may prevent an employee from connecting a smart speaker in a conference room where sensitive information like earnings or intellectual property may be discussed. But does that policy take into consideration the smart TV in the room, which has its own digital assistant continuously listening? Further, if an employee joining the meeting from home has a smart speaker sitting on their desk, it entirely defeats the purpose of that policy.

Data storage and transmission on IoT devices are crucial security considerations. If collected data sits on an open file share accessible to anyone on the network, or on a removable storage device that could easily be lost or stolen, it’s vulnerable to compromise. This is akin to leaving your cash register unlocked for anyone to easily access. The same applies to data transmission. Sending information unencrypted is like walking down the street with your wallet wide open.

The destination of this data also raises concerns. Many manufacturers send collected information back to themselves, supposedly for benign reasons like debugging device performance or updating firmware. However, more malicious motives sometimes exist, such as data mining for resale or even espionage.

Once we understand the potential data privacy exposures and risks inherent in IoT devices, we can make informed decisions about if and where they belong in our corporate environments. Areas where the most sensitive topics are shown and discussed could be strictly off limits, while other more public locations may get an okay depending on the device’s gauged risk tradeoffs.

Risks: Lateral Movement and Escalation

Even with secure passwords and data encryption on the compromised device itself, attackers can still exploit these vulnerable footholds within the network. While the device might not offer direct access to critical systems or data, it provides a valuable vantage point. From this compromised device, attackers can launch reconnaissance missions to map out the internal network, identifying weaknesses in security controls on other systems and users. These vulnerabilities become targets for further attacks, allowing the attacker to pivot laterally within the network, potentially escalating privileges and ultimately gaining widespread control of other systems and data.

The key to stopping attackers from using compromised IoT devices to pivot and escalate privileges lies in smart network architecture. Segregation is critical. Putting an IoT device on its own private network limits attackers’ ability to directly target these devices and prevents compromised devices from accessing other corporate resources. Think of it as an internal “DMZ” that allows us to enjoy the benefits of smart devices while limiting the potential of exposure in case of compromise. Further granularity can be achieved through network segmentation. Ideally, if the devices function without an internet connection, completely disconnecting them can be highly effective. This eliminates both the risk of device and data breaches by stopping them from reaching external resources, though admittedly this would disrupt cloud-based functionality. Otherwise, by just limiting access to only the manufacturer’s systems (assuming you’ve done your due diligence and trust them) we can limit the device’s ability to be used as part of a DDoS attack.

Best Practices for IoT Security in Business Networks

We’ve discussed several approaches to securing the use of smart and IoT devices in the corporate environment, but to sum up the recommended best practices:

• Vet manufacturers’ reputation for cybersecurity. All systems may have vulnerabilities, but how often, how severe, and how the manufacturer responds to them vary wildly.
• Vet the specific device implementation. Even the most reputable vendors make mistakes. It’s important to understand the security features of any given device and what best practices, such as changing default passwords, should be performed.
• Understand the device capabilities. Can it record audio? Video? Telemetry on usage that could reveal sensitive information like physical location?
• Understand the IoT device’s data collection, storage, and transmission behaviors and evaluate how they align with corporate policies.
• Incorporate IoT into the larger cybersecurity program, including policies, configurations, and patching processes. Make sure these policies extend to cover places off the organization’s campus such as remote employees.
• Segment as much as possible. The more isolated, the better. If it’s feasible, create separate internal DMZs for each type or class of device to limit what IoT devices can access and vice versa.
• Monitor for suspicious behaviors. Despite our best attempts, hackers still routinely penetrate the first lines of defense established. Continuous monitoring of devices and networks for evidence of suspicious behaviors can help identify and thwart threats before widespread compromise occurs.
• Perform regular vulnerability scanning and penetration testing. Given their reputation, IoT devices are generally considered among the most insecure. To stay ahead of cyber criminals, organizations should consider a proactive approach. Regular penetration testing by ethical hackers can unearth vulnerabilities in these devices before they’re exploited in real-world attacks. This becomes a crucial part of a comprehensive vulnerability management strategy.

Conclusion

IoT and smart devices bring powerful and exciting capabilities into our lives, but security often takes a backseat, leaving them vulnerable to exploitation. Businesses must be proactive in identifying potential vulnerabilities and data compromise associated with these devices. They need to implement consistent measures for protecting their assets. This includes careful risk assessment, strategic implementation planning, and continuous monitoring with regular security testing. Only through such a comprehensive approach can businesses leverage the benefits of IoT devices while safeguarding their critical assets. To learn more about security breaches protecting your organization’s assets reach out to our specialists.