Weaponising IoT and 5G
Weaponising IoT and 5G
We previously made 4 previous predictions on growing threats for 2020.
based on trends and threats the Bridewell team saw in late 2019. This blog gives a little more detail on one of these specific threats; the weaponisation of IoT and 5G technologies.
Increasingly, always-on connectivity is an expectation for users and where possible, they like this to be over a wireless connection. As a result, remote connectivity is much more common, which means it’s easier for cyber criminals to launch an attack because they don’t need to be close to your device. They can be anywhere on the internet.
So how do hackers target you? In simplistic terms, it’s about finding vulnerabilities.
Understanding the risk
One of the main vulnerabilities is running older operating systems (OSes). Such systems are generally out of support and typically have known vulnerabilities, which can easily be utilised by attackers to compromise systems running them. Just think about Windows 7 —while Microsoft is no longer supporting it, how many people are still using it?
When it comes to IoT, there are a few reasons why insecure OSes are especially prevalent:
1. Hardware refresh cycles
Businesses generally refresh their IT hardware every three years. IoT technologies (such as smart locks, IP-enabled cameras, environmental temperate sensors) however, are instead psychologically lumped with ‘facilities hardware’, which for historical reasons, has a far longer refresh time. There is a general expectation to buy once and then leave it in situ until there is a significant building refurbishment, the device breaks, or the organisation moves office. Similarly, facilities are often notionally the “asset owners” of these devices, but may not understand the importance of, or even be tasked with patching, or inspecting them for signs of tampering, etc. While these sort of devices provide the kind of functionality previously provided by traditional facilities hardware, they are in practice much closer to computers and if they are to be used safely, need support that is more akin to that of IT service management, rather than facilities management.
2. Computing power
Most IoT devices have little ‘compute’ power by today’s standards. Regardless of whether this is for legitimate reasons, such as being powered by solar cells,or simply cost-cutting, this means that there is typically less power available. This makes older OSes that have less demanding processor requirements more performant, or in some cases, the only OS that will run on the device, even when the device is brand new.
3. The cost of security
Security measures often come with an inherent overhead; logging device events increases network bandwidth and use of encryption demands more processing power. Most current, low-cost IoT devices are fundamentally ill-equipped to meet these requirements.
The risk this poses is not just constrained to the IoT/5G-enabled devices themselves: many organisations still fail to adequately segregate insecure IoT and 5G-enabled devices from the rest of their network. Even organisations with good maturity ‘zoning’ of their networks to protect their servers, frequently do not provide a separate ‘IoT Network’. This means that attackers often see IoT devices as the soft underbelly of an otherwise hard target, as these devices are often both geographically in less secure sites than servers and are usually running a more vulnerable operating system. Once compromised, the IoT devices’ connectivity can be used as a stepping stone to attack higher value targets.
Understanding attackers motives
The ubiquity of IoT and 5G technologies also provides attackers with other opportunities:
Subversion – It’s worth remembering that the IoT devices themselves are not just points on a network that might provide access to an attacker. They exist for a reason and provide functionality that can itself have value to an attacker. Aside from the more obvious use cases, such as opening doors locked with smart locks, consider the potential for disruption by a prankster turning an IP-connected sprinkler system on, while live-streaming footage of the resultant chaos from your own IoT CCTV system!
Locally – IoT devices can provide a sort of smokescreen to mask attacks. As an analogy with more commonly understood technology; when commercial wi-fi technology was new, it was not uncommon to have only a single SSID (wireless access point identity) in a building. Administrators knew their SSID, knew where it was in the building and knew where there ought to be no signal. Any change to this, such as a one springing up, would be typically noticed, even without formal monitoring. Nowadays, many mobile phones broadcast their own SSIDs for tethering and the rate of change of access points makes any analysis of this outdated in minutes. So too can we expect the growing reliance on 5G to mean similar greater volumes of (mostly legitimate) ‘noise’ that will make it harder to detect the quiet tiptoeing of anyone using 5G connectivity for nefarious purposes.
Globally – Aside from acting as springboards to host an organisation’s other assets, large numbers of internet-enabled devices, running outdated, low-security operating systems have their own value. Attackers who wish to take internet-enabled services down use a technique known as DDoS (Distributed Denial of Service). This requires large numbers of devices, sometimes hundreds of thousands, making up a ‘botnet’. The more devices, the more effective this botnet is in creating traffic and causing disruption. Compromising such large numbers of devices manually is out of the question. What is required is a large number of identical devices, connected to the internet, with low security, which can be compromised with wholly-automated attacks on a massive scale. In this regard, IoT is the perfect target.
To help mitigate this growing threat, simple yet effective policies include:
Require business justification (and formal risk acceptance from stakeholders) as to why specifically this connectivity is required. There are undeniably genuine reasons and use cases where the associated risk is warranted and necessary. Conversely, there are many cases where this risk is taken unwittingly, or where people are dazzled by ‘new and shiny’ toys that are not really required.
Create a separate network for these classes of device and segment them away from higher value targets. While it’s a bad thing to have your door control system compromised, it’s ‘less bad’ than having your door control system and your HR system and your finance system compromised.
Build or buy-in IoT security capability within your organisation. Many ‘traditional’ IT engineers, while comfortable with securing more traditional IT, lack experience and understanding of how to manage the risks associated with these technologies.