A few weeks ago, Federal Bureau of investigation released a statement on the dangers related to the Internet of things technology. The statement served as a warning for businesses and consumers who use less connected devices. As solution providers, your role is to advise customers of such risks, many of which can be addressed efficiently and effectively.
As increasing numbers of your customers turn to interconnected machinery to enhance their business strategy, it is crucial they recognize such technology must be appropriately secured. IoT connectivity increases the target space for hackers. The FBI not only is warning about such potential hazards, but is offering some pointers on avoiding or, at the very least, mitigating the risks.
Among the IoT devices the FBI included in its announcement were: automated HVAC systems, security systems (particularly those with Wi-Fi cameras), thermostats, wearables and office equipment (including printers).
Here’s the problem: A ton of surface area is exposed. Last year, HP released its Internet of Things State of the Union Study, revealing 70 percent of the most commonly used IoT devices contain serious vulnerabilities. For example, an attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device. Further, a majority of devices along with their cloud and mobile components failed to require passwords of sufficient complexity and length. Clearly, “123456” is not a secure password. Devices with default passwords or open Wi-Fi connections are an easy, obvious target.
Other problems included insecure Web interfaces and lack of transport encryption, in addition to insecure software and firmware. According to the report:
Given that software is what makes these devices function, it was rather alarming that 60 percent of devices displayed issues including no encryption during downloading of the update along with the update files themselves not being protected in some manner.
Unsecured wireless connections for thermostats, security systems and HVAC solutions are also vulnerable, if the security guarding administrative credentials is lax. Once in a system, a hacker can collect personal data, control systems and or remotely monitor the network. The FBI also called attention to real-world, industrial scenario:
Criminals can also attack business-critical devices connected to the Internet such as the monitoring systems on gas pumps. Using this connection, the criminals could cause the pump to register incorrect levels, creating either a false gas shortage or allowing a refueling vehicle to dangerously overfill the tanks, creating a fire hazard, or interrupt the connection to the point of sale system allowing fuel to be dispensed without registering a monetary transaction.
Solution providers can help their customers by conducting a security review of customers’ devices and all associated components. That can include some straightforward practices, including automated scanning of the Web interface, manual review of network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization, and reviewing the interactions of the devices with their cloud and mobile application counterparts. In addition, pass along these FBI IoT security tips to your customers:
- Isolate IoT devices on their own protected networks;
- Disable UPnP on routers;
- Consider whether IoT devices are ideal for their intended purpose;
- Purchase IoT devices from manufacturers with a track record of providing secure devices;
- When available, update IoT devices with security patches;
- Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet.