The Internet of Things (IoT) has ushered in a new level of connectedness for homes and offices alike. We’ve gone from wired desktops to now wireless thermostats, nanny cams, refrigerators and even door locks at home and the office. There’s no question that there are benefits to having everything ‘connected’, but there’s also no question that that connectedness has potentially severe security concerns.
When we’re asked to evaluate a client’s security posture, we try to approach it the same way as an attacker would. First, understand what their ‘golden egg’ is (that thing that they most want to protect, what the attacker would want) and second, where are there lapses in their security that we can exploit to get that golden egg. I read this article from ThreatPost about vulnerabilities that Rapid7 found in some smart lighting products and wanted to point out a couple of things that should be old hat by now (but usually aren’t).
- Manageable ‘stuff’ over the Internet. If at all possible, do this kind of thing over a VPN connection. If my only entry point into your network is a VPN connection, you’re likely (hopefully?) going to see my failed attempts before I’m able to get in.
- Default anything when it comes to authentication. The article notes that the default PSK was weak and listed it as the most critical of the identified flaws. The default values are likely either known or very easy to find with a quick Google search. If there’s a default username, default password, default anything, take a moment and change it.
- Connecting IoT devices to the internal network. Segmenting networks is easy and can be extremely effective at stopping (or at least slowing down) an attack. If you have vulnerable IoT devices that are segmented away from your internal network, a breach in that walled garden is manageable. If you have vulnerable IoT devices on your LAN, a breach there can be devastating.
There’s a good bit more in the linked article but these were the big things that jumped out at me and some of the things that we’ve leveraged during actual engagements. There are definitely bigger things to worry about but basic precautions (protecting sensitive devices behind a VPN, changing default credentials, segmenting networks, etc.) can save a lot of trouble later on.
Misc / Eratta
- ThreatPost Article – https://threatpost.com/unpatched-smart-lighting-flaws-pose-iot-risk-to-businesses/119479/
- Internet of Things (IoT) – https://en.wikipedia.org/wiki/Internet_of_things
- Rapid7 – https://www.rapid7.com/
- Network Segmentation – https://en.wikipedia.org/wiki/Network_segmentation
- VLAN – https://en.wikipedia.org/wiki/Virtual_LAN