The Internet-of-Things (IoT) and industrial Internet-of-Things (IIoT) are streamlining manufacturing and logistics, and enabling better productivity and security but the benefits of IoT also come with a healthy dose of security concerns.
“It’s easy to underestimate or dismiss the risk or attacks against IoT devices. ‘IoT’ is such an overused term, and security issues are so pervasive that it’s easy to become jaded or just tune it all out. As the volume of connected, IP-based devices grows exponentially, so does the associated threat landscape. There were an estimated 8 billion connected ‘things’ by the end of 2017, and Gartner predicted that the number would have surpassed 20 billion by 2020,[1]” said Andre Kannemeyer, CTO at Duxbury Networking, distributor of Armis solutions in South Africa.
The attacks against IoT devices are affecting enterprises. A survey by IDC determined that 46% of organisations have experienced a breach or security incident associated with IoT security (or the lack thereof) – and 70% of those companies reported that the IoT security incident was costlier than a traditional breach.
Armis has developed a number of technologies that counter and mitigate attacks on unmanaged IoT devices.
Compromised tablet
After smartphones, tablets are one of the most prevalent connected devices. Many businesses rely on tablets for everything from providing an interface for a kiosk in the lobby, to conducting point-of-sale transactions, to managing inventory and logistics. Companies also use tablets in conference rooms to manage audio and video systems.
“One Armis customer had approximately 200 conference rooms and each one was equipped with a tablet. The Armis risk analysis engine identified anomalous traffic from a device on the guest network and found that one of the conference room tablets was streaming audio and video to an unknown location. The stream was enabled 24x7, allowing the attacker to eavesdrop on any conversations or presentations conducted in that conference room. Obviously, this was a serious security problem,” said Kannemeyer.
The customer had a variety of other security tools and lines of defence, but none of them are designed to detect an attack like this.
Compromised smart TV
A post from Security Boulevard[2] describes how IoT devices often have inherently weak security protocols. It described the challenges of visibility when dealing with the volume of connected devices on the network.
In one customer’s boardroom, the Armis risk analysis engine discovered a smart TV that had been compromised and was attempting to infect any other connected device that came near it. Malware had been surreptitiously installed on the smart TV by a vendor as part of the remote control app, and was sending out a beacon to any device in range to connect so it could install the malware and spread throughout the network and beyond.
“Again, there were other network security solutions in place before Armis came in, but none of them were capable of identifying this threat. The smart TV was not sending data out through the gateway or traffic across the network, so these security solutions wouldn’t notice the suspicious activity,” said Kannemeyer.
Compromised cameras and routers
In recent years there has been an explosion of internet-connected security cameras.
Anything you can access over the internet can also be accessed by hackers and cyber-criminals over the internet.
“Armis discovered a situation at a customer where the security cameras had been hijacked and harnessed as part of a botnet – actively trying to infect other cameras and routers on the network. The team then automatically triggered the switches on the network to block the devices and prevent any further malicious communication,” said Kannemeyer.
Infected healthcare device
Healthcare environments have a high ratio of IoT devices to computers, in some cases as high as 10:1, making them particularly susceptible to attacks.
An Armis customer in the healthcare industry had an MRI machine that was infected with the WannaCry ransomware which crippled systems around the world in 2017. The MRI machine was connected to an internal, protected hospital network, but the vendor of the MRI machines required the hospital to open up additional ports over the public internet for remote vendor support. The underlying Windows XP OS had not been patched or updated for EternalBlue because applying the patch would void the warranty.
Unauthorised network bridge
Many of the printers in use today are also equipped to communicate over Wi-Fi or Bluetooth to make it more convenient for people to print from any device without having to be physically connected to the network.
A recent Armis customer had 145 printers on the network with open Wi-Fi hotspots – potentially allowing any device within range to connect to the network. “Armis began by discovering all devices on the network and monitoring network activity – including wireless activity in the customer’s airspace. This comprehensive discovery and monitoring enables Armis to discover rogue devices, hotspots, and other unauthorised devices or networks in the customer environment. The customer was alerted, so they could change the settings on the printer and shut down the open Wi-Fi hotspot.
Protection of gas distribution facilities
Manufacturing and utilities are two industries that benefit significantly from industrial IoT or IIoT. While this brings new efficiencies and productivity, using IP-based devices in manufacturing and industrial environments also creates a very attractive target for hackers with the potential for catastrophic consequences.
Armis was able to help a gas distribution facility detect a compromised device in its environment and identify 600 devices vulnerable to the BlueBorne attack.
“Fortunately, there were no active connections or attacks detected by Armis. With Armis in place, the environment is continuously monitored – including the wireless airspace – to ensure that any future attacks or suspicious activity will be discovered. The customer can break the kill chain by blocking any device that becomes compromised or blocking any unauthorised network bridge.
“IoT is more than a buzzword. These new, unmanaged devices are the new attack landscape, as we have seen since you can’t install a traditional security agent on them. Patching or updating their operating systems can be extremely challenging for a variety of reasons. Taken together, this presents a near perfect storm of risk – devices that are accessible, vulnerable, and unprotected. Enterprises are now confronting the reality of how to protect themselves from these new airborne threats. Armis is purpose-built for this new world, focused on discovering and analysing these devices in order to protect organisations,” said Kannemeyer.
[1] Gartner Press Release, “Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016,” February 7, 2017. https://www.gartner.com/newsroom/id/3598917
[2] https://securityboulevard.com/2018/04/how-smart-is-my-smart-tv/