The Internet of Things (IoT) is not a glimpse into a hi-tech future. The reality is it’s already here, changing the way we live and work forever. Gartner predicts that over 14 billion connected “things” will be in use this year, rising to 25 billion in two years’ time. Many of these are installed around the smart home and in corporate buildings. But when devices are integrated with each other via automation platforms, problems emerge.
What we have dubbed “complex IoT environments” (CIEs) offer new opportunities for hackers to launch physical and digital attacks. That’s bad news for IT professionals as it means a further expansion of the corporate attack surface.
A smarter age
The IoT offers new possibilities only dreamt of a decade ago. The smart home and office provide a whole new level of convenience, entertainment, safety and productivity. Everything from kitchen appliances to door and window locks, security cameras to speakers are being reinvented for the IoT era. But as useful as these are in isolation, the real value of such gadgets comes when integrated to interact with each other in user-friendly smart applications. This is where IoT automation platforms come in.
Automation servers like FHEM and Home Assistant allow devices to be integrated and controllable from a single, user-friendly UI. They log things like ambient temperature and power consumption and enable automated control of lights, heating and more. Consider a scenario in which you ask a digital assistant to check if all doors and windows in the building are locked. This is made possible via an automation platform.
However, the more devices and actions are added to these CIEs, the more error-prone they become, making management and debugging difficult. This becomes a major problem when combined with the fact that many automation servers are not properly secured or configured.
Many open-source IoT automation servers like FHEM don’t have security features like password protection switched on by default, nor do they prompt the users to enable security features. This leaves them completely exposed to remote hackers via a simple Shodan search.
Attackers could therefore theoretically compromise the automation server to reprogram automation rules, steal hardcoded sensitive data, add new devices, infect devices with malware, harvest devices for botnets, and much more. Let’s look at these threats in more detail.
Attackers could fool presence-detecting smart locks, for example, by adding a phantom device to the trusted devices list and setting it as always “present” inside the building, thus keeping them unlocked. This could be combined with a surveillance attack in which the hacker configures the automation system to send messages to a supported messaging platform about activity in the building. This could include motion sensing alerts from connected cameras around the building, providing useful intel on when the best time to break in is.
In another scenario, a compromised automation server could be used to play the cloned voice of the occupant via a smart speaker, bypassing voice recognition checks to perform a range of functions including turning off the building alarm and opening the locks. Exposed automation servers could also provide an attacker with valuable hardcoded personally identifiable information (PII), device username/password, and device API keys. These could be used to provide situational awareness of the building, and hack into the wireless router to monitor data traffic flowing in and out.
Perhaps the most severe attack comes in the form of a “logic bug” which takes advantage of the fact that once automated rules are set in place, they can go unnoticed indefinitely. Thus, a rule could be created whereby the alarm won’t sound and lights don’t go on in the event of a break in — all without the knowledge of the owner.
What to do next
It goes without saying that such threats can expose both the smart home and corporate buildings to the threat of physical attacks/robberies, and information-stealing raids. Home workers may also be targeted in stepping stone attacks designed to infiltrate corporate networks or steal sensitive info brought home from the office.
IT security professionals should therefore look to extend basic cyber hygiene best practices to the smart building environment, ensuring these are basically transparent to the end user. This could include switching on password protection for all devices, replacing default passwords with strong, unique credentials, and changing other default settings like Telnet on webcams. Device firmware should be kept updated where possible, although this can introduce business continuity challenges. Due diligence must therefore be completed on new vendors to ensure IoT products and systems are as secure as possible out-of-the-box and can be relatively easily maintained.
Other best practice steps could include enabling encryption for storage and communications, WPA2 for Wi-Fi routers, disabling UPnP and allowing only a hardcoded list of device MAC addresses to access the network. IT teams should also conduct regular backups of the configuration and automation rule files of IoT automation servers. Network segmentation can help to protect sensitive data assets, while monitoring and self-assessments tools can be used to understand security baselines, potential vulnerabilities, risks and mitigation measures.
There’s no one-size-fits-all approach when it comes to IoT automation threats. But as the buildings around us increasingly become packed with complex chains of smart devices, it will become a vital part of the IT security function.
Ian Heritage, Cybersecurity Architect at Trend Micro