In an increasingly digital world, the internet of things reigns supreme. From smartwatches that monitor your health to smart refrigerators that let you check on the milk situation from the office and washing machines that can be started with a text, even mundane items like appliances require network access.
Unfortunately, constant connectivity is a double-edged sword, bringing both convenience and security concerns that need to be considered and mitigated in order to best safeguard your endpoints and network.
What Exactly is an Endpoint?
An endpoint is a unit at the end of a communication channel that is accessed via a connected network and includes devices, tools, services, applications, and nodes. Traditionally the term endpoint referred to hardware such as modems, routers, hots computers, and switches connected to the network.
However, the advent of the Internet of Things has created a world populated by always on, always-connected endpoints such as smartwatches, smart appliances, smart vehicles, and commercial IoT devices. This shift to continual connectivity poses a variety of cybersecurity challenges that need to be considered.
Are IoT Devices Endpoints?
Whether IoT devices are technically considered endpoints may be up for debate (though Palo Alto networks considers IoT devices to be endpoints), but whether they officially count as endpoints or not, they should be treated as endpoints from a cybersecurity perspective.
Whether You Consider Them Endpoints or Not, IoT Devices Pose Serious Security Concerns
Whether you consider IoT devices to be endpoints or not, it is undeniable that unsecured IoT devices pose a security threat. To help safeguard your digital assets (including your network and the data stored on it), you need to be aware of the security vulnerabilities IoT devices introduce to your network so you can make an informed decision about whether or not your organization wants to allow these devices on your network.
While wearable technologies are convenient to use, they bring with them a whole host of security concerns, including:
Providing Easy Physical Access to Your Data
This is particularly concerning since most wearable tech devices don’t require a password or PIN or use biometric security features, which means if an attacker is able to physically steal your device, there is nothing keeping them from accessing the personal data on the device or potentially using it as a gateway to infiltrate your network.
The Ability to Capture Photos, Video, & Audio
The always-on nature of these devices means this can happen either with and without your consent, raising serious privacy concerns from both a personal and organization-wide perspective.
Non-Secure, Continuous Wireless Connectivity
Though most of us protect our laptops, smartphones, and tablets with PINs or passwords, wearable devices don’t typically offer this feature, creating unsecured points of entry to your other devices. Much like investing in a high-quality front door lock and then leaving a main floor window open, unsecured endpoints, including IoT devices, present a serious security vulnerability.
A Lack of Encryption
Most of these devices aren’t encrypted, which means your data is left exposed whenever you sync your wearable technology with another device such as your smartphone or store it on a manufacturers’ or third party’s cloud server).
Minimal or Non-Existent Regulations Leaves Organizations Legally Vulnerable
Most of the security issues posed by wearable devices will need to be addressed by the manufacturers that produce them, which means the legal issue around self-regulation vs. government regulations is an important point to consider. Whether manufacturers self-regulate or fall under the purview of regulatory bodies, companies that suffer a breach because of the security shortcomings of a wearable or other IoT device will likely be held fully accountable from a legal perspective.
These security concerns should give organizations that are considering allowing wearable technology on their networks reason to pause. Though these wearable IoT devices have become commonplace, organizations should carefully consider the security implications of those devices before allowing them to potentially access sensitive company data and may want to consider keeping these devices off their networks until better security features become available.
Though your IoT thermostat and smart refrigerator might seem like odd targets for hackers, like wearable technology, the focus of the attack isn’t necessarily the IoT device itself. Instead, these devices act as a gateway to the rest of your network and the sensitive data stored on it.
Depending on how interconnected your home or workplace is, cybercriminals may be able to use these IoT devices to turn off your security system, access financial or human resources data, or even spy on your family or employees via your security cameras or nanny cam.
Attackers may also target these devices for their computing power alone, using your smart lighting system to mine cryptocurrencies (an attack known as cryptojacking, which we discuss in detail in this educational article).
Hacking someone’s car to cause it to crash may sound like something out of a James Bond movie, but with smart vehicles, this movie trope has become a reality. A recent study by a team of security researchers at the New York University Tandon School of Engineering and George Mason University found that car infotainment systems that are connected via protocols like MirrorLink can be exploited to override safety features.
Other research teams discovered similarly troubling results when looking at Mazda, Volkswagen, and Audi smart cars. This study found that MZD Connect firmware in Mazda’s connected cars can be used to run malicious scripts using a USB flash drive plugged into the car’s dashboard. In response to the research, Mazda put out a disclaimer clearly stating that third parties are not able to carry out remote customizations on their connected cars, but the data suggests otherwise.
Research conducted by Pen Test Partners found that third party car alarms (which often claim to protect against keyless entry attacks) can actually decrease security by allowing cyberattackers to exploit vulnerabilities in the alarms themselves to:
- Turn off engines (potentially causing the vehicle to crash)
- Send geolocation data to attackers
- Allow cybercriminals to learn the car type and owner’s details
- Disable the alarm
- Unlock the vehicle
- Enable and disable the immobilizer
- Spy on drivers and passengers via the car’s microphone
These security flaws may make it easier to cause car crashes or steal vehicles, a safety and security nightmare neither individual car owners nor organizations corporate fleets want to deal with.
Third-party apps can also introduce security risks, a startling discovery backed by research conducted by Kaspersky. In this study, the research team tested seven of the most popular apps from well-known brands and found that most of the apps allowed unauthorized users to unlock the vehicle’s doors and disable the alarm systems, and none of the apps were secure.
Commercial IoT Devices
As we have seen with consumer IoT devices, security remains a seriously under-addressed concern, and unfortunately, this holds true in the industrial and commercial IoT device sphere as well. Common endpoint attacks that can be adapted to target commercial and industrial IoT devices include:
These involve cybercriminals intercepting and possibly altering or preventing communications between two systems. In an industrial IoT setting, this could involve tampering with safety protocols on industrial robots, potentially damaging equipment or injuring workers.
Just like it sounds, device hijacking involves unauthorized parties seizing control of a device. Unlike man-in-the-middle attacks, these types of attacks can be difficult to detect because the device’s basic functionality typically remains unaffected. In industrial and commercial IoT settings, attackers may use a single compromised device to either infect other smart devices on the grid or use the device as a gateway to gain access to more sensitive areas of the network.
DoS, DDoS, & PDoS Attacks
- DoS: Denial of service (DoS) attacks are designed to render a device or network resource unavailable (denying service) by temporarily or permanently disrupting services provided by a host machine such as a web server.
- DDoS: Distributed denial of service (DDoS) attacks involve flooding the host with incoming traffic from multiple sources (often either a group of attackers or a single attacker controlling a botnet of devices). These types of attacks are incredibly difficult to stop because you will need to block all incoming traffic from all malicious sources, turning your defensive actions into a game of cybersecurity whack-a-mole.
- PDoS: Permanent denial of service (PDoS) attacks (also called phlashing) are similar to DoS and DDoS attacks, but the goal is not to cause temporary disruption but instead to damage devices so badly that they need to be replaced or have their hardware reinstalled. An example of this type of attack is the BrickerBot malware, which is coded to exploit hard-coded passwords in IoT devices to cause a permanent denial of service. Attacks like BrickerBot could be used to damage water treatment plants, knock power stations offline, or damage critical factory equipment.
DoS, DDoS, and PDoS attacks can be used to target IoT devices and applications, causing serious disruptions, serious injuries, or permanent damage in both commercial and industrial settings.
Protecting Your Devices (& Yourself) in an Always-Connected World
All of these security concerns may have you tempted to throw out your computer and brush up on your typewriter skills, but there is hope. Here are some steps you can take to manage your IoT device security risks.
If you choose to adopt IoT technology in your organization, NIST recommends keeping these three goals top of mind in order to address the security challenges posed by IoT devices:
- Take steps to protect your IoT device security by ensuring all IoT devices are fully under the owner’s control at all times and are not being exploited by unauthorized users to access your network or harness devices for a botnet or other illegal activities. To do this, make sure you have protocols in place to actively monitor all IoT devices and look for signs of tampering.
- Safeguard your organization’s data by taking steps to ensure that all data generated by IoT devices is not exposed or altered when stored on devices, transferred around the network, or transmitted to cloud-based services (including cloud networks owned by either the device’s manufacturer or provided by third-party cloud companies).
- Take steps to safeguard individual’s privacy and organizational privacy by putting alerts in place that will notify you if private or sensitive information is being captured or generated by IoT devices. If that data must be collected, make sure you know where that data is going, how it is being stored, and what it is being used for. This will not only help safeguard your organization’s data but, depending on your industry or vertical, may be required by legislation such as GDPR, PCI, or HIPAA.
Are you considering incorporating IoT devices in your workplace? The VirtualArmour team is here to help you assess the risks and create flexible yet robust security protocols to help safeguard your organization, your workers, and your data and develop a cybersecurity incident response program tailored to meet your organization’s unique needs. For more information, or to start updating your security posture, please contact our team today.