IoT devices are now in the hands of the hacker, who has the opportunity to reverse engineer these at leisure. From a smart lightbulb to a smart kettle, the technology is easy to come by and generally features low level security because of the price point of these peripherals. Even sanctioned enterprise-grade IoT deployments can be susceptible, allowing supposedly isolated devices to be accessed and used to compromise internal networks. For example, during a recent investigation into Building Management Systems (BMS) we found thousands of corporate HVAC controllers on the public internet. The problem wasn’t down to the security of the kit but rather the way these controllers had been installed by electricians and HVAC engineers with very little security knowledge. As a result some controllers were completely unprotected with their authentication bypassed and could easily be identified and located using the Shodan website. Some had already been hacked.
Aside from poor installation, attacks can be performed against the IoT device itself by physically extracting key internal components such as the chipsets or SIM cards. These devices often have deep and often privileged access to the network and some components will automatically regard any form of access as trusted. Attempting to connect to them and forcing them to communicate with techniques such as running voltage through the chip can often reveal a treasure trove of information, including passwords, the servers the device is talking to, and how that information is relayed. IoT chips, for example, will often store secret keys in memory that are almost always unencrypted. Even if one can’t dump the firmware, readout is often possible direct from RAM. Simply pull the keys from memory and you can compromise the network. Having hacked one device it then becomes easy to compromise other linked devices before stepping onto the network proper.
There are steps the enterprise can take to reduce these risks. First of all, devices need to be configured and installed securely and device passwords need to be long, complex and stored securely. The services your IoT device is controlling need to be segregated and you should also ensure that each device is also segregated to prevent chains of devices being taken over. From a management perspective, don’t rely on those overseeing the IoT implementation to verify its security and do test the deployment to identify any weaknesses. Assign responsibility for overseeing IoT security to specific individuals. Remember that BYOD policies need to include IoT devices and seek to educate users on the risks of installing that new smart kettle, plant feeder etc in the office environment. In the event that an IoT device becomes compromised, the problem becomes one of limiting its ability to impact other systems, at which point only segregation will save you.
This session will use real hacking demonstration and recent research to illustrate the speaker’s points. It will aim to educate and inform the audience on the current types of vulnerability commonly found in the field. Plus it will look to arm the audience with some strategies on how to mitigate these risks.