IT Security

Inside the Matrix of IoT

by Mark Rowe

A chain is only as strong as its weakest link. Various IoT devices have been shown to be highly risky to your organisational network through network access control.

The IoT (Internet of things) refers to the vast network of interconnected online gadgets, devices and systems. Unfortunately, the more advanced we become and the more integrated our systems, the greater the risks. Given that a chain is only as strong as its weakest link, it makes sense that IoT hacking is a real danger. Various DDoS attacks have the capacity to completely upend organisation infrastructure, causing major disruptions in day-to-day functionality.

IoT devices can be used to hack into an organization structure. Given that there are multiple insecure connections, hackers can easily infiltrate a seemingly secure organisation structure through various interconnected devices. As a result, companies run the risk of being exploited. Malware, viruses, Trojans, and other hacking techniques have quick and easy access to an organization through the multitude of connected IoT devices.

According to IDC projections, there will be over 80 billion ‘smart’ IoT devices within the next seven years. Unfortunately, the software that runs these gadgets, gizmos and interconnected devices is vulnerable to attack. Manufacturers of these devices direct their resources at the drivers and not the security systems. This makes it likely that critical security systems will ultimately fail. When these IoT devices gain network access, they have a foot in the organisation mainframe. These types of vulnerabilities are not the musings of sci-fi geeks and futurists – they are happening as we speak. Several examples of Internet of things devices that have caused major disruptions to organizational networks include the following three major security breaches:

– The Maroochy Attack – This is a classic example of dirty games by a disgruntled individual named Vitek Boden who was never hired by the Maroochy county sewer district in Australia. As a contractor, Boden was embittered by that decision, and decided to ‘hack’ the system by using radio devices. His actions caused tonnes of raw sewage to be dumped into local waterways. By the time the local police apprehended Boden, with all the radio transmission equipment in his possession, it was already too late. If the IT department had security protocols in place, this may not have happened.

– St Jude Cardiac Devices – perhaps one of the scariest, and most life-threatening hacks of all is with the medical implantable cardiac devices at St Jude. These devices can be hacked, and cardiac rhythms can be changed, and batteries depleted on these life-maintaining devices through nefarious activity. According to the FDA, hackers were able to gain control of these St Jude devices through the transmitter and drain the batteries on various cardiac devices within a day, instead of the usual three-month lifespan they were designed to have. The first death attributed to this problem occurred in 2014, making this one of the deadliest hacks on record.

– Jeep Hack – in July 2015 a Jeep sports utility vehicle was hacked by using the vehicle’s CAN bus. The firmware update was vulnerable to attack, and experts were able to gain control over the Jeep. The Hack was dubbed a ‘Zero-Day Exploit’. It successfully targeted Jeep Cherokees and allowed the hackers to gain wireless control over the vehicle. Thanks to flaws in the Jeep’s entertainment system, the hackers were able to exploit these vulnerabilities and manipulate transmission, brakes, steering, music and more. Several hundred thousand vehicles have vulnerable Uconnect systems, according the hackers. After the Jeep Hack, Chrysler recalled 1.4 million vehicles for the bug fix. This cost millions of dollars for the company.

How Easy Is It to Access the Corporate Network Via IoT Devices?

The absence of Network Access Control (NAC) is a concern for organisations trying to maintain a watertight system of operations. However, with NAC in place, companies can benefit from secure connections between IoT devices and the organization network. Consider the case of the classic WiFi Doorbell. This security camera was easily hacked, and gave the hacker access to all interconnected devices that run on the network. Since it’s a camera, the hacker can view what the user is seeing, and this presents a major security challenge. Many WiFi doorbells are easily hacked and this means that people at home or in the office could have all their personal files and folders intercepted through the Internet. If employees in the office or at home have their security systems hacked, the perpetrators can easily cause major disruptions to the organizational network.

Botnet code has been cited as the hijacker in this case. The system vulnerabilities are relatively easy to manipulate. According to Shodan IoT device search engine, there are upwards of 140,000 devices that are detectable. NeoCoolCam gadgets are low cost models (less than $40 each) and have been disseminated around the world. Unfortunately, they are easily hacked through malware. Network access control problems are not limited to residential gadgets, gizmos and connected devices – it is also a big concern for enterprise-level organisations.

Vulnerabilities in IoT device protocols have enabled hackers to exploit these weaknesses for malicious purposes. This begs the question: what can hijacked IoT devices do to your organisational structure? For one thing, it is a violation of privacy. Beyond that, it effectively espionage, and can be used to steal sensitive data and get to the organization crown jewels. Additionally, hackers may threaten to blackmail individuals or companies if their demands are not met – also known as ransomware. The inherent value of IoT technology outweighs the risks, and that’s precisely why this new age paradigm is moving forward at breakneck speed. However, it’s important to monitor the interconnected nodes, devices, and networks for weaknesses.

Provide Effective Access Controls to Limit IoT Vulnerabilities

IoT devices can cause major disruptions to your organisational network. These include hacking, uncloaking of private data, and changing default settings. Unfortunately, many of these hacks can go undetected for some time as they get embedded deep in the system. Fortunately, NAC can be adopted to root out these weak links in the IoT network. By limiting access to devices, through controlled access and quarantine procedures, it is possible to limit botnet attacks, malware, and hacks.

See also Raising the bar of surveillance with dual-sensor systems.

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing