3 Hidden Endpoint Threats
IoT is a large attack surface and it grows bigger by the day. Businesses and consumers will continue to adopt more of these devices because they are low-cost problem-solvers.
However, the explosion of IoT devices is creating a new wave of security threats for consumers and companies alike. Manufacturers feel the push to develop IoT-driven products and services. Yet, they often lack security expertise, which leads them to overlook security measures, such as risk assessment, security testing, and patch management. Discontinued products also create security issues, since they are not being patched or updated by their manufacturers.
This article will explore three examples of the types of security vulnerabilities that can be found in everyday IoT objects. These objects are easy for users and IT departments to overlook, but still pose serious security risks.
Hidden Threat №1: Wearables
Wearable technology has exploded in popularity since 2013. Fitness and health-related devices are the most popular wearables followed by smart glasses and smart watches, according to a survey conducted by researchers at PricewaterhouseCoopers(PwC). In some cases, these devices go beyond BYOD; companies have issued fitness devices to employees in conjunction with wellness programs.
Whether through company-sponsored programs or BYOD, wearables are being brought into companies. These IoT devices are worth paying attention to because they are easy targets for hackers. Most wearables use low-power, unencrypted communication technology like Bluetooth. For less than $100 in equipment, a hacker can eavesdrop on Bluetooth communications transmitted by a wearable device.
A security investigation by Canadian security researchers revealed serious security weaknesses in several popular wearables. All the devices in the study used unencrypted Bluetooth low-energy wireless technology for connectivity. Out of the 8 devices studied, 7 leaked unique identifiers (MAC addresses). Addresses could be used to track the device through Bluetooth beacons. The researchers also managed to obtain login credentials and enter a company’s servers using a man-in-the-middle attack.
Hidden Threat №2: Medical Devices
The advanced communication-based features of medical devices, like remote monitoring and wireless connectivity, give healthcare professionals the ability to monitor, adjust, and fine-tune medical devices, like heart monitors, without invasive surgical procedures. However, these high-tech features also create points of vulnerability.
The vulnerabilities of medical devices are troubling, especially in the current age of ransomware attacks. Belgian and British researchers found security flaws in the communication protocols of 10 implantable cardiac defibrillators (ICDs). Vulnerable medical devices, such as ICDs, can pose a serious risk, not just to the wearer, but to larger hospital or medical center networks.
The researchers could intercept wireless transmissions and carry out replay and spoofing attacks as well as privacy, and DoS attacks. They were also able to send a shutdown command which caused the target ICD to enter a sleep mode. Wireless communications could be sniffed, or intercepted by researchers and patients’ identities were discoverable through the unique serial numbers of the devices. Data sent between the device and programmer could also be used to infer a patient’s diagnosis or course of treatment, said the researchers.
The researchers used inexpensive commercial off-the-shelf (COTS) equipment, and simple hacking techniques to demonstrate that ICDs are vulnerable to hackers with minimal knowledge and limited resources.
Medical device security is a concern serious enough to warrant attention from government. In late 2016, the FDA published non-binding guidance to help manufacturers manage post-market security for their devices. This guidance is a companion to protocols issued by the FDA in 2014, which focused on pre-market security steps.
The new guidance instructs manufacturers to:
- Gain a comprehensive understanding of the level of risk to patient safety posed by medical devices.
- Include a means to detect and monitor threats in medical devices.
- Create a process to communicate information regarding vulnerabilities to stakeholders and cybersecurity researchers.
- Address cybersecurity vulnerabilities with mitigation efforts, such as software patches.
Hidden Threat №3: Office Equipment
An obvious example of overlooked endpoints is office equipment, like the humble office printer. Here is a case in point:
On March 29, 2016, a neo-Nazi hacker sent racist propaganda flyers to 20,000 university printers located across the United States. With just two lines of code, the hacker tapped into printers configured to receive public messages. He then digitally commanded them to print the flyers. Students and staff members at over a dozen colleges found the offensive fliers in the trays of their fax machines and printers. The incident has forced university officials to re-think their security policies.
In addition to official IoT equipment like printers, most offices have a significant amount of unofficial office equipment in the form of wireless Bluetooth headphones or speakers, or USB-powered smart desk fans, lamps, or desk-top humidifiers.
You Can Manage Your IoT Security Risk
All 3 of the examples listed above illustrate how pervasive IoT has become and how easy it could be to miss the attendant security risks of these devices. However difficult it is to identify every endpoint threat in your network, there are measures that you can take to keep critical data safe regardless of the proliferation of insecure endpoints.
Originally published at www.ibmjournal.com.