• 11/15/2013
    12:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Internet Of Things Opens Doors to Attack

The Internet of Things may be overhyped, but the increased access to corporate and SCADA networks it offers to outside attackers is cause for concern.

Have you, like me, been bemused by the avalanche of news stories about the so-called "Internet of Things" (IoT)? "Things" have been connected for years. The problems occur when they allow unsecured access from the Internet.

Bloomberg, for example, recently headlined an article "How the Internet of Things Changes Everything." Of course, the headline was in boldface, 24-point type. You know, the typography you’d expect a World War to be announced in.

So what’s all the fuss about? Haven’t we always had things on our networks? In fact, until 20 or 25 years ago most of our networks were about connecting "things" -- PCs, terminals, servers, hosts, routers, printers, etc. People were an afterthought, really.

So let Bloomberg explain:

The Internet of Things refers to a dramatic development in the Internet's function: the fact that, even more than among people, it now enables communication among physical objects. 

Oh, do they mean PCs talking to printers? Servers talking to routers? What are they talking about?

In fact, what all the noise is about is connecting everyday, generally non-IT, things to apps that either monitor, control, or do both from our mobile or wired platforms. And it’s that "non-IT" bit that appears to make the difference.

I mean, back in the 80s I could control my company’s phone switch from my desktop over the network, and I could monitor "punch-in" and "punch-out" on the factory floor time clocks from that same desktop over that same network. So it isn’t the fact of monitoring, or the fact of controlling or even the fact of using these applications over a network that has become all the rage.

What’s got some people over-the-moon giddy (and others seriously knicker-knotted) is that we’re now talking about connecting to cars, refrigerators, dog-collars, HVAC systems, toasters, entertainment services -- pretty much all the things we use each day whether we’re in the DC, in the kitchen, or visiting our favorite café. All these things that now come with both embedded systems and wireless (or, in some cases, wired) connectivity.

Sounds like it’s a good thing, right? So why are some people upset by it all? Well, there’s this headline: "Military hops on the 'Internet of Things'." Missiles and drones and tanks and planes -- want them controllable over the Internet? You know, the same Internet that sustains thousands of denial-of-service attacks and supports thousands of hacks every day.

But, you say, "I’m not in the military and no one wants to hack in to my toaster, do they?" Well, what is the business (or, reality check, businesses) your organization is involved in? As reported by EDN Network:

Embedded Networked Systems control an ever-increasing percentage of the modern industrial infrastructure. Smart energy grid installations, complex chemical processing and transport facilities, the multiple modes of our transportation infrastructure, as well as storage/access systems for personal medical and financial information all use complex embedded systems.

Currently it’s SCADA (supervisory control and data acquisition) systems that appear to be the focus of all the angst. Turns out people install these things in power plants, water purification systems, traffic control structures, and more. Just this past week the so-called Syrian Electronic Army claimed responsibility for launching a successful cyberattack on the main infrastructure system of Haifa, one of the most important ports in Israel, disrupting the operation of the servers in charge of urban management systems and public utilities in the city.

One of the big problems with these SCADA systems is that they’re not installed by IT departments, and they all come with default passwords that need to be changed as soon as (or, even better, just before) they’re brought online. So, yeah, getting users to change passwords is something we’ve all figured out how to do, right? Thought so.

How aware are you of all the embedded systems in your organization? Who has command and control of them? How secure are they from outside attacks?

OK, finished doing that survey, did you? All the embedded systems are accounted for and secured? Great, but you’re not finished. Remember all those BYO devices you’ve allowed on the network? How many of them have apps allowing their users to control their cars, homes, pets, etc.? And how many of those apps are a perfect conduit for crackers to infiltrate your network or, at a minimum, launch a phishing attack?

Now, don’t get me wrong, I think interconnecting everything is a good idea. But what’s really a great idea is interconnecting them securely. That can turn a sleepless night into a beauty rest.


Internet of Things and security

The good news is that white-hat security researchers are scanning the Net for these exposed devices. Take HD Moore and Rapid7's Project Sonar and the SCADA-related Project SHINE. The bad news is that even with all of the awareness these and other projects are raising, many of the issues won't be fixed. Meanwhile, the bad guys also are scanning away.

Re: Internet of Things and security

I don't see Internet of Things as overhyped. What's changing is improved connectivity and ability to affordably make sense of the huge quantities of data machine-to-machine links create. Doing this monitor-and-analyze well will differentiate industrial winners from losers. What that means for security? As the ROI and competitive advantage from IoT initiatives rise, the pressure will be intense to find ways to do this securely.

Military Intelligence

Mention of the military does raise the question of whether they are really putting IP addresses on missiles and tanks that are available through the public Internet, or whether just via SIPRNET or similar. You would hope, at least, that there is some common sense about isolation of certain devices, and their interface to the rest of the network, let alone the public Internet.

Re: Military Intelligence

Even if there is a toughest security in any kind of website irrespective of whether its a social or other there are Genuine hacker in this world who can easily find out the bugs and hack the entire website.

view publisher site

Re: Military Intelligence

An air gap between SIPRNET and the Internet is perhaps one way to maintain security at a higher level than the average website. Unless of course, the story about BadBIOS is true, in which case we're in deep trouble ;-) Well, that and I have never forgotten watching a USB flash drive go between the unclassified and classified networks at one defense site and thinking "you may as well just join the networks then." But that's another issue. 

My point was that if you have a secure, isolated network that is not connected to the Internet and connect your military things to it, it's a darned sight harder to attack than if you connect your IoE devices to an Internet-connected, unclassified network.

The fact that there are hackers out there who can hack things, I kind of took as a given.


This connection of more things to the Internet does broaden the potential attack space--and we do need to be thinking about it. I think ignorance and not thinking about it is the most dangerous thing. WHen new stuff gets connected to the internet, it doesn't occur to people to secure it and the hackers are home free. For example, just last year i saw figures that less than 7 percent of mobile phone have malware protection on them, Few people password protect thier phone, and people load software on their devices willy nilly, all without a thought to security. Now, we have to get people to figure out how to protect their credit card numbers used by the fridge to order fresh milk. THis is going to be a BIG challenge.

Re: M2M

"WHen new stuff gets connected to the internet, it doesn't occur to people to secure it and the hackers are home free."

There's an interesting implication when you start connecting things with IPv6 and those devices have actual, unique, persistent IP addresses rather than masquerading behing an ever-changing TCP port with IPv4 NAT translations. That said, if you don't know the IP, it's a lot of IP addresses to scan, and most domestic routers supporting IPv6 have a stateful firewall, so perhaps it's not such a big deal. That's perhaps the one saving grace - most people outside the industry are going to be deploying in a home environment where their Internet connectivity sits behind a firewall. Of course if their WiFi is wide open, then it's all over... ;-)