They Want Your Enterprise Brains: Night of the Botnet of Things
The Internet of Things envisions a programmable world where all machines, all devices, from your toaster to your Toyota, are interconnected via the Internet. Futurists portray a world where you can remotely control all of your devices, right down to in the lights in your home, with the tap of a button, and where you yourself are gently guided by your "smart devices" throughout your daily routine as they measure everything from local traffic and weather to your heart rate.
Unfortunately, it's all hackable.
How easy is hacking the Internet of Things?
Recent headlines have been rife with examples of security backdoors allowing hackers to take control of all manner of smart devices, including televisions, baby monitors, pacemakers, and cars.
IoT vulnerabilities transcend the consumer market, however, and the enterprise should be concerned. Industrial control systems increasingly deploy IoT technology. Many companies are already operating from energy-efficient smart buildings managed by city-wide smart grids and furbished with smart thermostats, smart lighting systems, smart emergency alarms, and smart whatever-else-you-can-think-of.
Less than a year ago, hackers, doing what they do best, hacked into the climate control system of a New Jersey-based company. If you think that the worst that can happen from such an exploit is a miscreant making your employees uncomfortably hot or cold, think again. In addition to an office floor plan, the hack offered access to a myriad of other sensitive data, including employee names and user names, as well as hashed passwords (which are becoming easier and easier to crack).
Breaches and backdoors like these are nothing new, though many only recently gained significant media attention in the wake of the Stuxnet worm and revelations involving NSA spying practices. In many cases, systems operators have no idea that these devices are even online, let alone that they are wildly insecure.
What's more, with BYOD policies on the rise, the enterprise will increasingly see "BYOIoT" as employees bring and use other interconnected (and vulnerable) devices that IT departments never dreamed they'd have to worry about. In the meantime, both consumer and enterprise IoT devices have already been hijacked to form a "Botnet of Things" more than 420,000-strong (and that's just a "white hat" one that we actually know about).
IoT security flaws are especially problematic because neither smart device makers nor government officials seem to have the same security culture as the tech community when it comes to vulnerability reporting and acknowledgement. Instead, they frequently downplay or even downright fail to respond to security reports regarding critical flaws.
What you can do to secure your network from hacked "smart" devices
Until smart device makers smarten up about security, the onus of guarding against IoT intrusions lies with network managers. The first step is to build and define the IT department's knowledge base of its systems and devices. Use careful auditing procedures to determine what is connected – or can connect – to the organization's network. Security experts urge administrators to identify, track, and monitor everything.
"Build zones and track their interactions," advises Vann Abernethy, senior product manager at NSFOCUS, a web security firm. "[U]nderstand how each system works, how they interrelate and look at all possible vectors." In turn, this will allow IT managers to help prevent intrusions, making it easier to properly authenticate who and what should be connected to the network – and who and what should not be.
Modular, isolationist measures are also essential. Air gaps in particular should be employed with devices that have no good business reason for connecting to the main network. Additionally, administrators should take special precautions with air gaps to bar malware from "jumping" the air gap.
Finally, as Kevin O'Brien, an enterprise solution architect at CloudLock, recommends: "[S]ubject your code and hardware to third-party penetration testing[.]" Don't place too much trust in your embedded systems, and don't leave anything to fate.
After all, the world may be ready for IoT, but IoT may not yet be ready for the world.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.