I Don't IoT: Lessons Learned From Internet Connected Devices

In the field of information technology, inside jokes are plentiful when describing a problem that us caused by the user. “User error”, PEBCAK (Problem exists between chair and keyboard), and I-D-ten-T (ID10T / IDIOT) are often exchanged between IT professionals to slight a user without the user knowing it. The last term has garnered a double-meaning in the Information Technology world as of late. 

I Don’t IoT (IDIoT) is becoming an industry term to describe IT professionals who do not partake in using internet connected devices for a plethora of reasons. IoT devices collect an enormous amount of personal information, give unfettered access to sensitive networks, and are often built by the lowest bidder with no security in mind. Personally, I would never brand someone an “IDIoT” for not using IoT devices, but there are ways and industry best practices that can be observed and implemented to practice safe IoTing. Here are my favorite IoT stories and how things can go horribly wrong.

Casino’s High Roller List Stolen Due to a Smart Fishtank

This story has been making the rounds in the IT circles lately, although the event happened in July 2017. An unnamed casino installed a smart fish tank that would observe and record water temperature, salinity, pH, fish food level, cleanliness, among a number of other data points that minimized the need for a human to perform these tasks. While the sexy, if almost clickbait headline reads that an aquarium temperature sensor allowed hackers in, the truth is much deeper and complicated. The casino installed the smart fish tank and knew about the potential IoT vulnerabilities so they created a single VPN from the fish tank to a data collector in order to properly segregate the network and to ensure the fish tank would never touch a proaction traffic network. 

The casino installed data forensic and network tracing software all over its network and discovered that the fish tank leaked as much as 10 gigabytes of data to an unknown server in Finland. Hackers often attack poorly secured devices on the network to establish a beachhead in order to gain a foothold on the network and attack higher value targets.

Among the stolen data is believed to be the Casino’s “high roller” list of high net worth individuals who frequent the casino. This list would be extremely valuable to a competing casino who would try and steal away a high value target. Often high roller profiles include intimate details such as likes, dislikes, spouse and family information, among other things that casinos use to keep their high-value players happy. 

The Hidden Witness

If a life of crime is attractive to you, beware of IoT devices becoming hidden witnesses in your trial.

Connecticut police used data from a murder victim’s FitBit fitness tracking devices to discredit the victim’s husband’s timeline of events and eventually charge him with murder. The husband’s version of events indicated that the victim, his wife, had walked from her car to the basement where she was shot and killed by an intruder. The FitBit data indicated that she walked approximately ten times the distance between her car and the basement before she was killed indicating the husband was likely not telling the truth.

Similar to the FitBit story, an Apple Watch’s data was entered into evidence in a murder trial in the UK. The victim’s Apple Watch health monitoring data (including heart rate) indicated that the victim very likely died around 6:25pm. The chief suspect in the murder indicated that the victim was killed around 10pm.

Amazon Alexa-enabled devices are always listening, but Amazon contends that data is only sent to their servers when a trigger word such as “Alexa” or “Echo” is used. Arkansas authorities subpoenaed Amazon to get data from an Alexa-enabled device found near the crime scene. Amazon resisted the subpoena on the grounds of protecting user privacy, but ultimately turned over the data when the defendant gave his consent to turn over the data.

An internet connected pacemaker was used to convict an Ohio man of aggravated arson and insurance fraud when his heart-rate data directly contradicted his timeline of events. The defendant gave a story that when he realized his house was on fire, he packed his valuable belongings, threw them out a window, collected the luggage, and brought them a safe distance away from the flaming house. The defendant’s heart rate was inconsistent with a person who actually performed all of those tasks in the given amount of time and it was much more likely that his valuable belongings were already packed and moved a safe distance away before the fire was set. Patients with pacemakers are often monitored remotely by their doctors to ensure the pacemaker is still functioning correctly and to monitor patient health and be alerted to abnormalities or emergencies.

LG’s Smart Devices Leak so Much Private Data, It Would Make the NSA Blush

Adding cameras to automatic vacuuming robots represented a leap forward in smart home technology allowing vacuuming robots to clearly see obstacles and walls. It did not take long for security researchers to discover a vulnerability in the LG SmartThinQ platform that controls smart home items such as vacuums, dishwashers, ovens, air conditioners, and washing machines. Knowing only the victim’s e-mail address allowed an attacker to gain access to any LG devices owned by the victim and take full control.

Buy Cheap IoT Products, Get Cheap Security. Who Knew?

Shortly after Blackhat USA 2017, a security research group announced that over 175,000 Chinese-made IP cameras manufactured by Shenzhen Neo Electronics were vulnerable to attack according to Shodan. This vulnerability stems from the cameras’ use of UPnP, a protocol designed to quickly and easily add wireless devices such as cameras and printers to your home network. It was NEVER meant to be internet-exposed, but poor coding and lax security in the software development cycle allows for vulnerabilities such as this to exist. Once an attacker gains unauthorized access to the IP camera, he or she is now on the network.

IoT is the Disease, I am the Cure

To quote Sylvester Stallone in the 1986 movie Cobra, "You're a disease and I'm the cure.” IoT security (or lack thereof) was so upsetting that a few grey hat hackers created vigilante botnets to combat the problem. In October 2016, the Mirai botnet commandeered hundreds of thousands of vulnerable IoT devices and launched the largest Distributed Denial of Service (DDoS) attack in history bringing down DynDNS and several upstream providers including AirBNB, Twitter, Netflix, and Spotify. Many security researchers and practitioners sat on the sidelines eagerly awaiting to hear the industry response to criticisms of weak or no security, hard-coded passwords, and still having glaring vulnerabilities that were patched years or decades ago. 

Two vigilante botnets: BrickerBot and Hajime both aim to be the chemotherapy for the cancer that is insecure IoT. BrickerBot uses the password list from the malicious Mirai botnet to implant itself onto vulnerable IoT devices then runs an rm -rf command to completely wipe and brick the device. The device is “plashed”, rendering useless to both the device owner and to potential attackers hoping to leverage the device in a future attack. Hajime is much more polite in that it infects a vulnerable device and simply closes all the backdoors and turns off remote access until the device is rebooted.

Protection

While a dismal picture has been painted for not security, not all is lost. Protecting IoT devices is akin to guarding a screen door. Until there is a standard to secure and securely update IoT devices, security practitioners will be fighting an uphill battle. 

Using services like Quad9 DNS, a free service from IBM’s X-Force, is a quick and effective way to prevent IoT devices from communicating with known bad destinations. Properly segmenting networks so IoT devices have no access to sensitive or production networks greatly reduces the impact of a breach when an IoT device has been compromised.

In addition to blocking known bad destinations by DNS, clever attackers are getting more savvy and using typically allowed protocols such as DNS and VOIP (SIP) and exfiltrating data out using methods such as DNS tunneling. A next generation firewall capable of doing deep packet inspection can detect and block this exfiltration method. Sending logs to a SIEM can also introduce a basic level of user behavior analysis for IoT devices detecting anomalous amounts of data being exfiltrated or a high level of access denied requests. Lastyly, performing Data Loss Prevention (DLP) on outbound traffic with SSL Inspection will also detect and block unauthorized exfiltration of sensitive data.

I personally own several IoT devices such as a Nest Thermostat and an Amazon Alexa-enabled device. These devices are placed on a guest network (away from my NAS) with static IP addresses. These static IP addresses are then given explicit ACLs through a cloud firewall and are only allowed to communicate with servers associated with the devices (Nest, Amazon, etc.). If any of these IoT devices become compromised, they will only be allowed to connect to authorized destinations and not route command and control servers.

I close this entry with one more IT joke: IoT: The S stands for Security