IoT Vulnerabilities Increase Daily - Here's What One Company Is Doing About It.

The benefits and opportunities enabled by IoT technology are enormous, with increased connectivity expected to transform the operations of major industries like healthcare, finance, and public infrastructure. Yet all of this good stuff comes with heightened security threats. Every day, the IoT attack surface expands as tons of new smart devices get rolled onto the Internet, with the number of active IoT devices expected to surpass 20.4 billion by 2020, according to Gartner.

We’ve seen vulnerabilities across every industry sector. There are tons of vulnerable healthcare devices, routers and network devices, smart city communication sensors, automobiles and conferencing systems with several examples from 2018 leading the pack:

Security researchers have discovered vulnerabilities in the Medtronic CareLink 2090, a monitoring device that doctors use to control pacemaker settings. Poor authentication and encryption features have left the device software vulnerable to malware infections. When the researchers shared updates on the case at the 2018 Black Hat conference last August, many were shocked to hear that some of the vulnerabilities still persisted. This was despite notifying Medtronic of the security flaws almost two years ago.

Last May, Cisco Talos researchers uncovered a Russia-linked botnet affecting at least 500,000 vulnerable routers and network-access storage (NAS) devices located across 54 countries. The network takeover was made possible by a malware called VPNFilter, which granted hackers control over infected devices, including the option of turning them off and taking them offline. Additionally, it allowed hackers to compromise user data by snooping on traffic passing via affected routers, and more importantly to discover the software components used to manage the entire critical infrastructure.

IBM last year identified 17 vulnerabilities, including 8 that were ranked critical from four smart cities built on leading smart city systems deployed across the world. Many of the vulnerabilities were caused by elementary flaws in security design, such as allowing the use of default passwords and leaving networks unsecured online, making these systems accessible even for amateur hackers. Particularly concerning were the discoveries of authentication flaws and encryption issues in server communications systems, as both technologies are essential for preventing security breaches.

Elon Musk’s electric car venture Tesla made headlines last September when its Model S cars were discovered to be vulnerable to a key fob attack, which is a technique often used to steal high-end cars. A research team was able to clone a Model S key fob and then use it unlock and drive a test vehicle. Using just $600 worth of equipment for reading radio and computing signals, the researchers could learn the vehicle’s identifier transmitted by the car, and then trigger a response from the key fob by impersonating the car. Using the response pairs, the researchers were able to narrow down the real keys that could be used to impersonate the key fob.

More specifically, what made Tesla’s key fob technology so vulnerable was its reliance on easily crackable 40-bit cipher and a lack of mutual authentication.

Got a Polycom HDX System? Of course you do. It is hugely popular in spite of its stone age functionality because the easiest way to connect to other Polycom systems is through another Polycom system and that is why many companies still use them. It is also why it, along with many other networked office products has become a classic target for botnet IoT attacks.

IoT devices are increasingly targeted by cybercriminals as a launch-pad for a broad variety of cyber-attacks. Botnets are a popular choice among cybercriminals as they are an easily assembled collection of compromised machines controlled via centralized command and control (C&C) servers. As you will recall, the Mirai botnet back in October of 2016, was the primary source of launching crippling DDoS attacks against the Dyn DNS provider that took the US Internet down for the better part of a day.

IoT botnets are formed by compromising IoT devices through the exploitation of inherent security flaws, vulnerabilities, poor configurations, insecure authentication, etc., much of which is routinely found in all open-source software. The compromised IoT devices are then used as soldiers in DDOS attacks, transforming these transformed IoT devices into bandit proxy servers.

This all happens because these devices are frequently shipped with open-source software vulnerabilities baked in. The Polycom boxes in this case came infected with the OMNI botnet (a variant of Mirai) and open-source packages like BusyBox and WGet which were also embedded into the firmware of the Polycom devices.

The good news is that Polycom’s HDX systems have a built-in debug interface that provides information about the activities occurring on the device in a log format. The debug flags have to be enabled in the configuration settings so that the device can log all the messages, but if they are, a concerned enterprise could use a company like WootCloud and their product suite to run the log analysis and forensics to detect threats before they became lethal.

In this particular instance WootCloud found a number of Polycom devices infected with the Omni bot which was busy running brute-force and password cracking operations from the devices via their telnet interfaces. Collaborating with the Polycom security team, the WootCloud threat research team was able to block and destroy the bots and cleanse the devices of the infected open-source modules.

In addition, WootCloud recently analyzed thousands of exposed Cisco router devices to determine the number that could become potential targets for bots triggering brute-force attacks, bitcoin mining, and for building hidden proxy tunnels. That study found more than 200,000 Cisco routers running with exposed web administrative panels which reflects the high level of risk that organizations take when they allow administrative web consoles to be exposed on the Internet and made available to any remote user or cyber-actor without any restrictions.

One of the cool things about WootCloud by the way, is that its system leverages both radio signals and network traffic to neutralize all IoT threats, regardless of device characteristics. This means that if you are running a factory, an investment bank, a healthcare company or a hospital, all of your IoT devices can be monitored and controlled in real-time and protected with complete end-to-end visibility. Any and all IoT devices are in their wheelhouse. I strongly recommend taking a look at these guys as they are the only IoT cybersecurity company I know of who are taking this approach.

And if you are an MSSP or a MSP aspiring to become an MSSP, WootCloud would be a great channel partner to launch or expand your service offerings into the soon-to-be-booming IoT threat detection and response space.

Whether WootCloud or another technology, now is the time to begin addressing the variety of vulnerabilities that we will continue to discover in all of our everyday office equipment, devices, industrial control systems and sensors, hospital measurement and control devices and network enabled appliances in our kitchens and break rooms. Before they become the root cause of costly and unnecessary breaches.

Full disclosure: I have no relationship with WootCloud whatsoever other than having evaluated their technology.