Verizon Report Foreshadows Breaches Originating With IoT Devices, Part 3

This post was written with the invaluable assistance of Steve Watson of Intel.

On April 14, Verizon released its 2015 Data Breach Investigations Report (DBIR). Also that day, McAfee Labs posted a blog expanding on the DBIR’s Appendix D discussion of the security of the Internet of Things, exploring the market conditions that have led to security weaknesses in IoT devices. On April 20, we posted another blog highlighting the many IoT device attack surfaces.

Today, we predict the types of breaches originating from IoT devices we expect to see in the intermediate term. Later this week, we will outline things businesses can do to prepare for the onslaught of IoT devices in their trusted networks.


What types of breaches in IoT devices can we expect in the intermediate term?

Breaches to industrial control systems

Because of their added flexibility, and ease of development and cost, many IoT device developers see an opportunity to replace aging SCADA infrastructures. Yet with the current security weaknesses that exist in many IoT devices, it’s likely that we will replace problems endemic to SCADA systems with another set of problems. By replacing control and automation capabilities with new, Internet-connected IoT devices, we may increase the risk by configuring devices on the public Internet.

Breaches to critical infrastructure systems

In November 2014, reports surfaced of 73,000 unsecured security cameras connected directly to the public Internet. The default passwords allowed unrestricted access to live video feeds in homes, warehouses, malls, and parking lots. Reports included examples of government sites with these same unsecured security cameras.

In May 2014, the U.S. Department of Homeland Security confirmed the first U.S. Public Utility Control Systems were hacked. In one instance, a weak password on an Internet-connected host allowed access to the network. In another example, a cellular modem was used to connect directly into the control system server of a utility. The first attack matches the webcam example we just mentioned while the second example matches active research (more on that in a moment) against vehicle control systems. The same lack of security is repeated on numerous end-node types.

Attacks on wearable devices lead to personal information breaches

Many consumer wearables use Bluetooth Low Energy (BLE) to communicate with their connected devices. These wearables continually broadcast their unique BLE identifiers even when they are not within range of connected devices. Although users may be judicious and lock down the information their phones communicate about them, a BLE-enabled wearable can easily be used to track an individual’s location. Most of these devices offer no way to disable this functionality nor prevent the reading of the unique identifier from the device.

We expect increased privacy-related research and exploits related to the identification of users based on the wearable and medical IoT devices that accompany individuals as they move about.

Breaches to vehicle systems

In January, multiple media outlets reported the widespread theft of luxury SUVs in London. The thefts were accomplished by replicating the RF wireless token from key fobs to unlock and start the vehicles without a key or damage to the vehicle.

A German researcher released information in February about security vulnerabilities related to a European auto manufacturer’s connected car capabilities. By simulating a GSM network near the car, the researcher was able to remotely unlock and lock the vehicles with an OEM connected car capability—even without a subscription to the cars’ remote services. Current security research has also demonstrated the ability to affect core vehicle functionality such as brakes, acceleration, and engine power.

In both of these examples, the breaches did not come through a traditional Ethernet or WiFi connection but instead through an RF network in the first case and an emulated GSM network in the second case.

IoT device breaches that extend into the network

In the near future, we expect to see examples of the next stage of compromise, which reaches beyond the IoT devices to other devices on the network. From reduced-footprint Linux and Android operating systems, minimized to ensure they fit on small IoT devices, to new IoT operating systems including mbed OS, Riot, Contiki, and Tizen, hackers will look to establish a beachhead onto networks through IoT end nodes.

New tools to detect and exploit weaknesses in IoT device security

Search engines such as Shodan can quickly identify insecure and misconfigured Internet-connected devices. In one example, 250,000 routers in Spain and other countries using duplication SSH keys (February) were discovered using this search engine. We expect tools that can identify insecure embedded, IoT, and Internet-connected devices to soon be available in the dark market.

Stay tuned for guidance around things businesses can do to prepare for the onslaught of IoT devices in their trusted networks. Meanwhile, you can learn more about Intel’s approach to IoT devices and their security.

The post Verizon Report Foreshadows Breaches Originating With IoT Devices, Part 3 appeared first on McAfee.