I have been the IoT Research Lead at Rapid7 for nearly two years. During those two years, we’ve seen the industry struggle to define IoT. Many organizations are still thinking of IoT as simple consumer toys that do not impact them, but that is not the case. Early on I abandoned trying to create a definition for IoT; instead I circled my wagons around explaining IoT from a security perspective and describing how to better examine and address the security of an IoT products ecosystem, no matter what we determined “IoT” to be. The main focus of this concept is that the security of any part of an IoT ecosystem can, and will, affect the security of all other parts of that ecosystem. This requires all security testing and examination to be holistic in nature, addressing every component of the IoT products ecosystem.
By using this model when describing our approach to securing and testing an IoT ecosystem, everyone gains a better understanding of the potential risk and impact of poor security within an IoT ecosystem. So what is the problem? The problem is when I use the acronym “IoT,” very few understand what technologies fall into that category. So even though I can discuss an effective security-testing model, we still don’t develop an understanding of what is included in the definition of IoT.
For example I recently participated in a webcast at the IT GRC Forum where we asked attendees the following question: “Does your organization currently have IoT technology on your network. (Yes/No)?” 52% of attendees responded Yes, and 48% responded No. Now I do not know these organizations, but I expect that answer is very wrong—personally I think that the responses should be closer to 100% Yes. Why do I say 100%? Let us first break down the basic premise of IoT.
First, to be IoT, you must at least contain embedded technology. Second, we often expect the devices to have internet capability—whether the device is used in that capacity or not doesn’t matter. If it can get to the internet, there’s a good chance it will send or have the ability to send data and, most often, have access to cloud services and APIs. Third, I also expect some form of external command and control capability. This command and control can be via a mobile application (which is often found in standard consumer solutions, but does not have to be). The external command and control can be anything from an industrial human machine interface (HMI) or as simple as an application or interface driver installed on a Windows host. Based on this, we start realizing IoT is not always some consumer toy, but includes a number of technologies that we utilize every day within our business environments.
So at this point I have grown to hate the term IoT because it affects our ability to have a serious conversation around security and risk within a business environment. When I use the acronym IoT, instantly many organizations IT managers, leaders and even security professionals say, “We don’t have that, and we don’t allow it on our networks. So it's not a risk to us.” Let me see if I can persuade you differently by listing devices on your networks that fall under the IoT description.
Do you have Multifunction Printers (MFP) on your network? Most likely you do. These devices are embedded and they have the ability to communicate to the internet for many reasons: maintenance, firmware upgrades, supply inventory, remote cloud printing services. Most of your desktop and laptops can control them via print job start, stop, and completion. You may also have software on servers to manage them, and they share and transfer data. Pardon me, but that sounds just like IoT. I know a number of you are saying “It is not a risk to us,” but I assure you it is a serious risk. Currently MFPs can be one of the most targeted devices on corporate networks. Our pen testing services team here at Rapid7 leverage MFPs all the time to gain access to Windows Active Directory credentials, to exfiltrate data off corporate networks, and to pivot and hide their attacks from monitoring teams and services. Here is a detailed description how a MFP can be turned into an Advanced Persistent Threat.
Besides printers, the average business has a number of devices that fall into the IoT category, including:
- Smart TVs (often found used in conference rooms and public areas)
- Teleconferencing systems
- Telephony devices and infrastructure
- Security cameras and associated DVRs
- Lighting controls
- HVAC systems
- Power usage monitoring solutions
- Security access management systems
Maybe the solution is for us to stop using the acronym “IoT” and to start referencing this technology using one of the following references.
- Internet Aware Embedded Technology
- Internet Embedded Devices
Or maybe we should start redefining the term “Things” in IoT. Either way these new and emerging technologies do pose a potential risk to our businesses, and we need to start having a conversation now about how we should address them. We should start developing policy and processes as to how we as businesses will manage and secure these new technologies—whether you believe you have them or not. If you as an organization decide to never allow IoT on your network, you should address that with policies from the top down. If you do not have a plan, all the hoping and wishing will not prevent IoT from finding its way onto your network. Like I said, I think it already there and businesses just don't realize it.
On the other hand, I also think we should be embracing IoT and exploring how we can leverage it to transform and improve our business models. It’s entirely possible your competitors are thinking about these questions.
- How do we grow using new Internet Aware Embedded technologies?
- How do we secure them?
- How do we manage potential employees bringing them into the workplace?
So in conclusion I hope at a minimum I have made you think—and that your next step will be to start taking action to better leverage and secure these new technologies. They are here to stay.
You can learn more about Rapid7's IoT security testing services here.