Lightbulbs, Thermostats and Cameras Oh My! Smart Devices Undermining Corporate Security

A study by ForeScout finds that connected devices pose a risk to enterprise networks, but are often invisible.
A study by ForeScout finds that connected devices pose a risk to enterprise networks, but are often invisible.

In-brief: Smart, connected devices from closed circuit cameras to printers and thermostats are undermining the security of businesses, providing possible paths for hackers onto corporate networks, according to a study by the firm ForeScout. 

Smart, connected devices from closed circuit cameras to printers and thermostats are undermining the security of businesses, providing possible paths for hackers onto corporate networks, according to a study by the firm ForeScout.

The study, conducted by noted independent researcher Samy Kamkar, identified seven IoT devices that can be hacked in as little as three minutes, including IP cameras, environmental controls, multi function printers, Voice over IP (VoIP) phones – even “smart” connected light bulbs. Easy to hack, the devices can take days or weeks to remediate, ForeScout said.

The devices can become entry points for corporations that malicious hackers use to compromise business networks, said Pedro Abreu, ForeScout’s Chief Strategy Officer. “All these devices have credentials for corporate networks,” he said.

enterprise_insecurity

The security of devices like cameras has become a pointed issue in recent weeks, as denial of service attacks by botnets of compromised cameras, digital video recorders and other devices interrupted service for web sites like Twitter, CNN and the music streaming service Spotify.

“As these things become more commoditized, their security becomes worse,” said Abreu. “The number of devices is exploding.”

Many are escaping the notice of corporate IT departments. ForeScout’s study found that organizations can have as many as 30% to 40% more devices deployed on their network than they were aware of. “These are devices that either the company does not own, or devices where they can’t deploy a (monitoring) agent,” Abreu said.

Users are part of the problem, brining in wireless hotspots, IP enabled cameras or wearable technology and connecting them to corporate assets. In industries like healthcare, connected medical devices might be introduced by individual clinicians without the awareness of the IT department.

In the worst case, the connected devices become entry points or tools for cyber criminals, who can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment. Vulnerabilities in VoIP phone systems might enable the recording of internal phone conversations. Hacks of connected HVAC systems and energy meters, could lead to cyber physical attacks that overheat critical infrastructure and ultimately cause physical damage, ForeScout warned.

While the attention in recent weeks has focused on the role that compromised devices can play in botnets like Mirai or Bashlite, vulnerable devices can also be used to “pivot” to more vulnerable assets on corporate networks said Billy Rios of the firm Whitescope.

“When we’re hired to compromise systems that support these facilities, we often use these kinds of devices as the means to get to corporate devices as well,” he said. “If a device is being commanded to participate in DDoS, there’s nothing stopping someone from pivoting into the network as well,” he said.

With little action from manufacturers, it falls to companies to be able to detect and secure devices within their environment, Abreu said. That requires upgrading tools to be able to detect a wide range of non-traditional endpoints, updating and securing those devices when possible and, if necessary, isolating them from sensitive data and IT assets. “Frankly: it is a losing battle,” Abreu said.

Adopting a “zero trust” model that assumes devices are compromised and limiting what they can do can greatly reduce risk.

Spread the word!

Comments are closed.