Connected devices aren’t just fodder for botnets. They increasingly act as malicious “insiders” capable of spying on their surroundings and providing valuable intelligence on homes and offices, argues Yotam Gutman of the firm Securithings in this industry perspective.
Connected devices present unique challenges to enterprises and consumers alike. The very nature of these devices — connected TVs, personal assistants like Alexa, or security cameras — calls for seamless connectivity and easy access. The vulnerability of connected devices has been proven time and again, and there is growing concern regarding cyberthreats. Today, IoT devices are often targeted by hackers, infected with malware and used to mine cryptocurrency, populate botnets and launch denial of service attacks. But there is another, more subtle and insidious threat that IoT devices pose: the insider threat.
It is a recognized fact that many data breaches involve insiders. However, until recently the problem was considered relevant only for traditional IT: nefarious employees would break into the network to steal money, customer data, trade secrets and intellectual property, as well as intentionally sabotage systems and corrupt data. Only recently, with the proliferation of connected devices, has the insider threat extended to the IoT arena.
Let’s examine the potential risks of smart home devices. These devices record audio and video of their surroundings. These recordings are then stored in the cloud, where they can potentially be accessed by system administrators from the company providing the service. What is to stop these administrators from gaining access to the device itself and watching or listening to these feeds? We can only speculate whether this is happening in the consumer space, but we have hard evidence that it is already occurring in the commercial sector.
In one case, an established vendor was selling video surveillance as a service using an OEM cloud-based video platform. This platform collected metadata about cameras and users’ activities and stored it in the cloud. The deployment consisted of dozens of device types and multiple user profiles (including domestic, commercial, support center personnel) located all over the globe. With such a large, diversified number of connected devices, the vendor suspected that there might be security and compliance issues, but the data collected was not analyzed, so it was impossible to identify malicious activity.
You might also like: Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug
Eventually the vendor decided to use machine learning algorithms to analyze the full deployment, consisting of about 150,000 devices and tens of thousands of users, generating millions of events daily. As predicted, several of the devices were being accessed from multiple locations, which indicated account takeover or credential abuse by outsiders (usually hackers guessing the default passwords of cameras). But that’s not all. The system also identified that support personnel — specifically those working at the service provider support center — were accessing end-user cameras in what appeared to be a peculiar and malicious manner.
This prompted an internal investigation which concluded that support center employees who had access to the camera feeds for maintenance purposes, were “checking in” on specific cameras on an ongoing basis, thus breaching the privacy of end users. It is unclear what the intention of these employees was; they could have been using this information to plan a burglary, extort an individual or simply satisfy their voyeurism. Regardless, this represents a severe breach of the end-client’s privacy and safety.
As more connected devices and associated services make their way into our lives and businesses, the potential for insider abuse will increase. The very nature of these devices and services makes them vulnerable to such abuse. The risk of breaking the end user’s trust is great and carries potential liability and penalties (some video surveillance services fall under GDPR regulations and are susceptible to heavy fines if non-compliant). Companies using such services would be wise to ask their service providers for clarification regarding how they are limiting their employees’ access to the devices. And it would behoove service providers to monitor the devices themselves in order to ensure privacy, security and regulatory compliance.