The Internet and the Internet of Things (IoT) has revolutionized the way that the world does business. I don’t mean things like Facebook, Twitter and all of those cat videos that everyone seems to be obsessed with, I mean the cool things that the Internet has enabled us to do (or do better). Connecting offices used to be expensive and hard, before doing it a lot of thought went into cost benefit analysis and ROI. Now, it’s a foregone conclusion that branch offices and remote users will have real-time access [to everything] from anywhere in the world, it’s just what you do. At one time, companies had to man remote outposts or workers had to travel to check gauges, turn knobs and pull levers at remote locations but now, we can see in real time the status of this gear and make changes as needed from the comfort of a somewhat comfortable chair in an air conditioned office, often hundreds or even thousands of miles away. There’s no arguing that these are good things but, before VPNs were a thing, we wouldn’t let ‘just anyone’ into the server room or datacenter; before the IoT, we didn’t let just anyone check the gauges, turn the knobs or pull the levers, those are [were?] secure buildings / rooms / devices, they had to be protected. Fast forward a few years though and that’s exactly what we’re doing. We connect the server to the Internet and use RDP, VNC or as WannaCry taught us even SMB to access it directly, ’cause it’s important that we have remote access. We connect our surveillance system (DVR / NVR / cameras / etc.) directly to the Internet and monitor it from our mobile phones. We connect the ATGs at gas stations to the Internet so that our suppliers can check to see when they need to refill the gas tanks. In the end, it’s not hard to see what can come of this and it’s safe to say that a lot of it isn’t good.
How did this all start?
Long ago, connecting offices meant expensive equipment, [relatively] slow leased lines and headaches. The advent and explosive growth of the Internet meant that organizations, rather than paying for expensive leased lines, could simply connect each office to the Internet and then use that Internet connection as a backbone for the connections between their offices. This was huge; it cut the cost to connect offices (leased lines were easily several hundred dollars per month, an Internet connection is generally around $100 per month and is often shared between inter-office connectivity and Interent access), it cut the setup time (it could take 45 to 60 days [or more] to get a leased line installed, configured and setup, Internet access can generally be setup in a matter of a few weeks or less) and it made it easy and cost effective to quickly connect branch offices or ‘road warriors’ (mobile users) to headquarters. Connecting offices or users quickly and without the need for expensive leased lines was a thing and life was good.
What were the bumps along the road?
All of this goodness came at a cost though. The leased lines were generally point-to-point, which offered some ‘baked in’ security. In order for an attacker to get access to the traffic on a leased line, they generally had to be at one of the endpoints. Using the Internet (point to multi-point) though meant that anyone that had an Internet connection could potentially access the traffic. To counter this, encryption and authentication were used to ‘tunnel’ the traffic between endpoints so that, even if an attacker was able to access the traffic, it just looked like jumbled mumbo-jumbo if they didn’t also have the encryption keys. Now, securing those connections between offices / locations or users (and protecting the data in transit from prying eyes) was very do-able (if it was easy, everyone would be doing it, even now) and, once again, life was good.
The goodness was again short lived. First, it was possible to connect things to the Internet; then it was possible to secure things that were connected to the Internet (note the distinction here, it was possible to secure them but it wasn’t necessarily easy); then it had to be easy to connect things to the Internet; the Internet of Things (‘IoT’) was born. Devices were developed that were able to quickly and easily connect to a network (and the Internet) to make life easier; thermostats, door locks, media systems, security systems, HVAC systems, lighting control systems, gas pumps, industrial control systems [‘ICS’], critical infrastructure and even farm equipment (yup, Internet connected tractors). In many cases with industrial equipment, these were ‘add-on’ devices that simply made connecting existing analog devices (programmable logic controllers [‘PLC’]) possible and no consideration to security was given. Insecure protocols (HTTP, Telnet, VNC, console over serial [over Ethernet], etc.) were the standard so that the devices were easy to use and manage.
Why is all of this important?
More and more IoT devices are being designed, developed and connected to the Internet all the time. The security shortcomings of many older devices is no surprise but it seems that the security implications, even in new IoT gear, are a secondary concern at best. According to this article from The Register, the number of vulnerabilities reported by major vendors in 2016 was 116 and, in 2017, that number *rose* to 197 (an increase, not a decrease), with half of the reported flaws rated as critical or high risk in nature. In 2015, Rapid 7’s Project Sonar found approximately 5,800 Automatic Tank Gauges (ATG) exposed to the Internet with no password set, completely open and available for attackers to manipulate. In 2016, the US Justice Department confirmed that Iran had infiltrated the computerized controls of a small dam 25 miles north of New York City. Also, in 2016, the Mirai malware exploded aross the Internet by scanning, finding and infecting vulnerable devices (e.g., devices with default credentials accessible to the Internet) attacking various across the Internet including GitHub, Twitter, Reddit, Netflix, Airbnb and many others. In many cases (like the ATGs found by Rapid 7, the dam compromised by Iran in New York and the hundreds of thousands of insecure devices compromised by Merai), these devices aren’t secluded behind a firewall and segmented away to ensure that only authorized personel have access but are directly connected to and accessible from the Internet. In some cases, this is the result of well intentioned but ill informed personnel trying to increase efficieny, in others it’s the result of an overlooked mis-configuration and in some it’s the result of the lunatics running the assylum but, in every case, it’s an attack surface that a remote attacker can find and leverage to get a deeper foothold into the network.
What’s the solution?
The final solutions is anybody’s guess (make every human with an IoT device test it for security vulnerabilities and then patch what they find?). A good first step though would be for organizations to understand, document and keep up-to-date the devices under their control. Piratica offers services including vulnerability scans – a quick scan to identify what services you’re exposing to the Internet, vulnerability assessments – analyzing the data from a vulnerability scan to minimize false results (positive and negative) to give a clearer picture of the organization from an attackers perspective and a prioritized roadmap of vulnerabilities that need to be mitigated and penetration tests – leveraging the confirmed vulnerabilities identified in a vulnerability assessment to attempt to compromise an organization. If your organization doesn’t already have a relationship with a risk management company that can provide these services, we would welcome an opportunity to earn your business.
If you would like to schedule a free, no obligation, vulnerability scan to see what you may be exposing, simply complete this request and consent form.
- Breaking in with the Internet of Things
- Wikipedia article on IoT
- Wikipedia VPN
- Rapid 7 scan of gas pumps – https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges
- Iranian attack on dam in New York – http://time.com/4270728/iran-cyber-attack-dam-fbi
- Marai botnet – https://en.wikipedia.org/wiki/Mirai_(malware)