IoT DANGERS: BYOD’s trashier cousin becoming a right tearaway

Bring Your Own Device is problematic enough, but now staff are increasingly bringing inherently insecure, internet-connected smart devices into work, making a mockery of established security policies in the process.

Staff and bosses bringing their own smartphones and laptops into enterprises can be managed using mobile device management technology, encryption and segmentation of devices.

But few have thought through the implications of bringing smart TVs into the same environment.

IoT devices are penetrating some of the world’s most regulated industries, including healthcare, energy, government and financial services. These devices introduce new avenues to attack enterprise networks, a new study by OpenDNS warns.

The internet infrastructure used to enable IoT devices is beyond both the user and IT department’s control. IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched against vulnerabilities, including Heartbleed and others.

Consumer devices such as Dropcam internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage systems, various connected medical devices, and Samsung Smart TVs continuously poll servers in the US, Asia and Europe, even when not in use.

Top of the risk list are Western Digital cloud-enabled hard drives and Smart TVs, which could lend themselves to remote hacking and might even be used to record snippets of audio. These devices connect to the internet looking for updates.

“IT is treating these devices like gadgets and toys and not applying the same rigour they would apply to routers, switches and firewalls,” Andrew Hay, head of research at OpenDNS told El Reg.

OpenDNS’s study is based on real-world but anonymised data from customers. The firm is talking to vendors of IoT kit as part of its on ongoing research into the subject. “The security of these devices is based on nobody knowing the URLs they contact – it’s security through obscurity,” Hay added.

Consumer-grade IoT devices are often developed with little or no thought for security. The insecurity of theses devices – along with threat intelligence – were both key themes of Infosecurity Europe 2015.

Dwayne Melancon, CTO of Tripwire, backed up OpenDNS’s findings by saying that smart TVs, video cams, network projectors are frequently insecure and can be a way into corporate networks. “It’s mostly security researchers looking into this for now, but there’s a clear potential to develop automated exploits here. If you know what you’re doing you can get anywhere.”

Ken Munro, a director at security consultancy Pen Test Partners, added: “Every time we look at IoT we see security flaws from 2001.”

Pen Test Partners are running a demo of IoT hacking on their stand at Infosec. Part of the presentation involves a hack against an internet-connected kettle. A net connected kettle can be switched on to boil water through an app on a smartphone, offering novelty appeal and little real utility.

Munro showed how it was possible to trick the kettle in the demo to contact a rogue wireless access point. It was then possible to log into the device by Telnet using a default password, “000000”, at which point a hacker would be able to recover the Wi-Fi key of a corporate network in plain text.

Convenience and wow factor are driving the consumer market for IoT gizmos. In this rush, little thought has been put into security, which is a problem because it’s always more expensive to bolt security on after the fact than build it in during the design process. ®