A home or office that has connected IoT (Internet of Things) devices or machines is actually full of possible weak spots for hackers, and, ironic as it may be, security cameras are often at the top of that list. It is up to us, the end-users, to reduce the threat. While cameras are storing security video to prevent crime or corporate espionage, hackers are quietly able to brute-force their way into many devices and turn them into an army of attack soldiers, as was the case in the October 2016 massive Dyn Cyberattacks that affected large chunks of the United States and Europe.
Security cameras are connected to the Internet so as to allow users remote access, along with anyone else they need to let in. This feature lets users check in on security cameras when no one is at home or at the business, and allows manufacturers to update device software without having to make house calls. The convenience and brilliant simplicity notwithstanding, this very feature that is the essence of all IoT devices is actually a cyber-bug. IoT devices are easy to connect to remotely by just about anyone, and unfortunately, not just by the people one would wish to share access with.
Yes, it really is that easy.
All Internet connected devices have IP addresses and therefore can easily be found on search engines such as Google and Shodan (a searchable registry of IP addresses with information about connected devices). Hackers can find thousands of hackable devices such as cameras just by entering a few search terms, and armed with this information they move to the actual breaking in.
Additionally, IoT devices typically come with default passwords, and many users, even after the 2016 Dyn Cyberattacks, stay with the default settings and do not bother to set a unique username and password. Hackers can find lists of vulnerable devices and try out default passwords. If those have never been changed – they are in. Even if the passwords have been changed, hackers can use SSH and telnet services that unfortunately allow hackers to force their way into devices, since changing a device’s web app password typically does not guarantee that the password coded into the device has been updated.
According to Flashpoint (a cybersecurity company), in the 2016 Dyn attacks, hackers inserted Mirai, malicious malware that allowed the use of at least 100,000 IoT devices as soldiers in a botnet (zombie army), including printers, IP cameras, residential gateways and baby monitors. This botnet was used to send thousands of junk requests to Dyn, a company that manages web traffic for many prominent websites such as Twitter, Amazon, Netflix, and Reddit, who were knocked offline by the attack. Dyn couldn’t separate the legitimate requests from the junk, and consequently internet users in the US were cut off from these websites, which is the definition of a DDoS attack (Distributed Denial of Service). This example, though extreme, shows the potential vulnerabilities that unknown and unmanaged IoT devices can cause a network.
Securing IoT devices in two steps:
Step 1: Visibility
With the number of IoT devices entering the enterprise network, it is challenging to keep track of them. Without network visibility, it is impossible to see, manage, control and secure the network, and the risk for breaches increases. Clearly the first step in securing IoT devices is making sure that they are seen and acknowledged as existing on the network. IoT devices in the enterprise could include time-attendance clocks, smart TVs, temperature gauges, coffee makers and the above mentioned IP cameras. To minimize the risks, once identified on the network, there should be a centralized control mechanism that would enforce updates of the latest patches in security software.
Step 2: Network Segmentation
Once an organization has established complete visibility and centralized management across the network, it is crucial to segment all valuable enterprise data and establish controls to protect the expanding IoT surface. IoT devices should be on a separate network segment from the organization’s mission critical systems or data, including segmentation from devices such as laptops, PCs, tablets and smartphones containing enterprise data. Segmenting into secured network zones should be automated and then firewalls must be deployed between these segments to prevent IoT devices from reaching enterprise assets. With intelligent and automated segmentation, the enterprise increases ROI from its existing detection technology, making it more accurate and effective. Thus, even if IoT devices are breached, it shouldn’t expose enterprise assets along with them.
Conclusion – Using Intelligent Network Access Controls (NAC)
For the foreseeable future, it appears that cyber offenders will continue to take advantage of IoT vulnerabilities, but there is no reason for today’s enterprise to sit back and do nothing. All of the steps mentioned above and more can be achieved by using Portnox NAC solutions. Having full network visibility to identify devices on the network, followed by a layered and automated approach will allow the enterprise to secure these devices and respond to any potential breach, keeping important assets protected.
Want to see just how easy it is to hack an IP camera?
There are just a few steps required to perform a live hack of an IoT device, and without proper network segmentation, the consequences could be disastrous.
Once you have seen just how easy it is, check out more information on integrating connected devices into your network in the optimal way for security as well as ease of use purposes.