7 Internet Of Things Devices With Security Risks That Solution Providers Can't Ignore
The Internet of (Insecure) Things
ForeScout on Tuesday released its IoT enterprise risk report, which outlined the terrifying reality of how common devices pose an inherent risk to enterprises.
The company's research into seven common enterprise IoT devices revealed that their core technologies, fundamental development methods and rapid production makes implementing proper security within the software, firmware and hardware an "often-neglected task."
"IoT is here to stay, but the proliferation and ubiquity of these devices in the enterprise is creating a much larger attack surface -- one which offers easily accessible entry points for hackers," said Michael DeCesare, president and CEO, ForeScout Technologies, Inc, in the report. The ForeScout report is timely: A massive distributed denial of service attack on Friday, which blocked access to a number of popular web sites including Twitter and Netflix, is believed to have utilized unsecured IoT devices.
To address these risks, solution providers need to work with enterprises to provide "full visibility" and control over devices as soon as they connect to the corporate network.
Following are seven IoT devices that can be hacked in as little as three minutes, according to ForeScout.
IP Connected Security Systems
ForeScout ranked IP Connected security systems as a potentially "disastrous" security risk, meaning it could cause irreversible damage, invade user privacy, or enable hackers to gain access to private corporate information.
According to ForeScout, many connected security systems use proprietary radio frequency technology that lacks authentication and encryption to communicate. Most systems also use radio signals that are easy to detect and fail to employ frequency hopping techniques, leaving them open to jamming and spoofing that could enable criminals to turn off motion sensors or remotely open locks. Attackers can also form radio signals to send false triggers and access system controls, according to ForeScout.
IP Connected Infrastructure
Another IoT device that can potentially result in disaster if hacked are IP connected infrastructure – which include climate control and energy meters, as well as HVAC systems, according to ForeScout.
HVAC systems typically are on the same network that internal systems are connected to, said ForeScout. Therefore, hackers can easily access them to intercept data and carry out additional attacks.
If an HVAC system is hacked, for instance, attackers can force critical rooms, like server rooms, to overheat and cause physical damage. Smart energy meters could also enable attackers to alter reported energy levels of companies, which could lead to fraudulent accounting and metering.
Smart Video Conferencing Systems
Smart video conference systems are vulnerable to exploits that enable remote attackers to control any apps on the system, take over communication apps, or record audio and video, according to ForeScout's report.
ForeScout ranks these system risks as disruptive, meaning that if attacked they can disrupt corporate and operational processes. Many systems use a common operating system, which have significant overflow vulnerabilities – and devices like smart TVs connected to a local network over IP could allow hackers to gain full network access.
Connected Printers
Another device that is open to a potentially disruptive security risk is the connected printer. Most printers are networked over IP, making them accessible for computers on the network, as well as posing a security risk for hackers to infiltrate the enterprises.
ForeScout said that if printers are on a public network or attackers are on the same Wi-Fi network, they can send a crafted Simple Network Management Protocol (SNMP) packet to obtain the businesses' administrative password and gain full control of the printer.
VoIP Phones
VoIP phones are another connected device that poses a potentially disruptive risk to enterprises, said ForeScout. For instance, many VoIP phones use complex routing that exposes the phones to remote snooping. Hackers can exploit configuration settings to evade authentication, and then update the phone, enabling them to listen in to phone conversations and make phone calls. Attackers only need to know the IP address of the phone to be able to access it, according to ForeScout.
Smart Fridges
ForeScout said another connected device that can easily be hacked is the smart fridge. Wi-Fi enabled refrigerators with LCD screens can enable hackers to access widely used operational apps, like scheduling applications or notification systems, and the credentials stored within.
Due to "lax certificate checking," ForeScout said that hackers on the same network as smart refrigerators could conduct a "man in the middle" attack to intercept communication and modify traffic between clients and servers.
Attackers can do this through injecting spoofed Address Resolution Protocol (ARP) requests or Domain Name System (DNS) responses, which provide no method of authentication or encryption.
Smart Lightbulbs
Smart lightbulbs that operate on Wi-Fi and proprietary mesh networks can be sniffed by attackers, according to ForeScout. By sniffing the network, attackers only need to be within Wi-Fi range of the smart bulb with no original access to the network.
Hackers can then extract password-protected Wi-Fi credentials without being on the network. This enables them to gain access to other systems and devices in the enterprise – from laptops to smartphones and even network-connected manufacturing systems, according to ForeScout.