Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

How to Identify and Mitigate Risks from IoT Devices in Our Increasingly Connected World

Erin Anderson, Solutions Marketing Manager, OT & Industrial Technologies | October 23, 2019

Our Connected World

With the rise of automation, remote access, and the ever-expanding Internet of Things (IoT), IT and OT teams are collaborating at an unprecedented rate to strengthen organizational network security. Business operations that rely on machinery and physical processes are no longer disconnected from the world, nor from the enterprise network. Statista estimates that by 2025, more than 75 billion will be connected to enterprise networks and the internet. The sheer volume of these devices has the cybersecurity of these IoT devices top of mind for many business executives.

As we’ve discussed in previous posts, these IoT devices are consumer-grade technologies that are:

  • Mostly unmanaged.
  • Come from a multitude of vendors.
  • Use non-standard operating systems.
  • Support a diversity of, often insecure, protocols.
  • May dynamically connect to other devices inside or outside the organization’s network.

On top of all this, bad security practices like default or simple credentials, unencrypted traffic and lack of network segmentation remain common. Our research team recently tested commonly targeted IoT devices and specific points of entry that could be exploited by attackers. Below are the systems that they studied, their potential exploits, and how organizations can identify and mitigate risk for each.

Video Surveillance Systems (VSS)

IP cameras are highly exposed to external threats. This exposure is both physical, since many cameras are placed in external locations that make it easier for an attacker to tamper with them, and logical, since modern cameras and recording equipment support remote access for improved management and access to cloud services. Out of the box these cameras come with weak protocols like Telnet, FTP or SSDP enabled by default and often use the unencrypted real-time transport (RTP) and real-time streaming protocol (RTSP) to stream video. They’re also usually installed and configured by personnel with little to no knowledge of cybersecurity best practices.

In their lab, our team successfully carried out a footage replay attack using the RTP protocol. A summary of the attack is below.

A network monitoring tool would have detected this attack by notifying the operators in real time that steps 1, 3 and 4 were occurring. Having this information would allow the security team to quickly quarantine the device to reduce the risk of further exploits, while also providing data to understand where the attack came from and how they can avoid another in the future.

Smart Lighting

Designed to automatically control lights in a room or building based on factors like room occupancy and available daylight, smart lighting can reduce energy usage, potentially improve physical security and deter criminals, lengthen the lifespan of bulbs, optimize building space and improve working conditions. But, as these systems are integrated into organizations’ networks, they become low-hanging fruit for malicious actors to infiltrate these networks.

In their lab, our team successfully carried out a denial of service by switching off the lights, as well as a platform reconfiguration, by leveraging the insecure HTTP protocol to manipulate Philips Hue smart lights. A summary of the attack is below.

A network monitoring tool would have notified operators in real time that steps 2, 3 and 4 were occurring, which would allow a security team to quarantine or shut down this device to prevent spread throughout the network. It would also allow them to turn on any backup generators to ensure that their employees, patients or customers would not be left in the dark.

The MQTT Protocol in IoT Systems

Many buildings have their own IoT systems, that are connected to a wide array of devices, ranging from enterprise solutions like VoIP phones and teleconference systems to personal devices, or BYOD, like wearables and smartphones. These centralized IoT systems gather a lot of information, making it a desirable target for hackers. A commonly used protocol in these systems is the MQTT protocol, a lightweight, unencrypted M2M connectivity protocol.

To infiltrate an IoT system in their lab, our researchers leveraged this insecure protocol to successfully launch information gathering and denial of service attacks. They were able to gather information about the IoT network, such as available assets and their location, configuration information and even sensitive information like credentials by either passively sniffing traffic or subscribing to interesting topics and receiving published messages. During the denial of service attack, they flooded the broker with connection attempts and heavy payloads, while also requiring a higher quality-of-service level in the protocol. A network monitoring solution built specifically for IoT would have detected both of these attacks in real time.

Mitigating Risks from IoT Devices

Having full visibility into your entire enterprise network is crucial to be able to identify vulnerable network segments, ensure business continuity and improve incident response strategies. To learn more about how network monitoring can help identify and mitigate vulnerabilities in IoT devices, check out our eBook.

Demo Request Forescout Platform Top of Page