Internet of Things (IoT) Use With Caution
As technology becomes integrated into our lives, even at the most mundane levels, it is important to understand that the helpfulness of this technology has another side. Developers of assisted technology, for the most common things in our home, all require access to your home computer infrastructure. This assisted technology will help vacuum the floors, control the temperature in your home and fish tank, answer the door, turn on the oven, and close the blinds. The promise is that these electronic devices that we use to administer our lives will provide greater utility. However, as with most things electronic and connected, they need to be controlled by the owner.
Perhaps the most famous attack from an external source is the 2013 Target department store hack. In this attack, hackers started with an HVAC company, a third-party service provider, to Target. The HVAC employee had fallen victim to a phishing scam and had downloaded malware. The victim was apparently in the HVAC company accounting department with access into the Target accounting system for automatic billing. In the malware, the exploit software took root in the HVAC computer system and captured the login credentials to the Target account. This was a common malware; however, without antivirus software, it was undetected. With the stolen credentials, the hackers were able to access the Target accounting system. They soon captured millions of credit and debit card accounts and the personal information of millions of customers. The cost to Target was estimated to be over $300 million. This was an extremely successful attack that bypassed traditional boundaries; of course, the fact that a number of monitoring indicators were ignored did not help. Nevertheless, it does demonstrate the inherent vulnerability of connectedness, even in the most mundane things.
Another example is the 2018 hack into a major Las Vegas casino that resulted in the exploitation of their “high roller” database of personal information. The entry point in this example was the massive fish tank on the casino reception floor. The tank was set up with Internet of Things (IoT) devices for monitoring the water’s chemical makeup and temperature. The goal of the IoT devices was to automate the care of the tank and to provide nonstop monitoring of the fish environment. With a huge investment in the tank and fish, near real-time tracking would reduce risk. However, the wireless network connection to the tank’s IoT monitors was unsecured and compromised. As with the Target example, the hackers were able to patiently move through the casino’s network and copy and extract the data. The data from the fish tank was reported in near real-time; this “normal” data stream of monitoring data included the commands from the hackers. Once the target information was identified, it was exfiltrated through a server that was used for streaming video and audio; again, the data was hidden in the normal.
Of course, there are much more details regarding these attacks. However, at a general level, they illustrate fundamental failures that are often missed or neglected even by the experts, and these are often the simple things. One of them is the segmentation that is separating networks and user access. In the Target example, the victim of the phishing attack is supposed to have had system administrative privileges mixed in with user or work access privileges. Again, the rule is the separation of duties and the segmentation of access. In these examples, access to these systems was not a direct path, and the exploit took time; however, the attackers got there. For the casino, the question was how information access regarding fish tank temperature allows one into the database for the casino’s most important clients. In the Target example, the question was how access to vendor billing allows access to customers’ personal information and credit card transactions. No doubt, for these two institutions, this question has been answered. For the rest of us, this caution requires a good look at the infrastructure.
The casino IoT instance is a particularly good example of vulnerabilities, especially when considering there will soon be a time when there will be more IoT devices than people. The problem is how to secure the IoT device and connection. Again, the best solution is to follow the fundamentals. First, make sure the firmware/software for the device is up to date and ensure it stays current. Change the IoT device default settings, change the name (SSID) of the device to something that does not associate it with anything, as in do not use your last name or address, use something like the word pencil that means nothing. Change the password. Use antivirus software and keep it up to date. In your home, place all of these devices, where it makes sense, on a separate network. The guest network, for example, separates these devices from the network where you work. There are no guarantees, and there is no such thing as absolute security. What is mentioned above are some of the actions that can be taken to establish a defense in depth, the establishment of one barrier after another to frustrate and hinder the attacker. This approach provides the system user time and space to figure out what is going on and stop the attack.