The threat of not securing IoT device is often not an attack on the device but on the company’s larger infrastructure, resulting in productivity and financial loss. Gartner estimates that there will be more than 7 billion connected “things” by 2020. This means that international organizations must ensure they have security in place for every IoT system or face compliance issues from GDPR regulators and NIS Directive regulators. The US will invest $2.8 million in IoT over the next 12 months. 42 percent of IoT organizations involve security teams early in IoT projects. However, 72 percent of global companies claim that they always identify their security needs during projects. Only 34% of respondents said that the CISO was ultimately responsible for IoT security. This is among the lowest percentages worldwide. Although the company board may discuss the incident response plan, they have very little control over the actual security of IoT devices.
These are real examples of businesses that did not use IoT security best practice and how they were compromised.
1. Fish Tank Thermostat at Casino
A North American casino recently installed an advanced fish tank with sophisticated sensors to regulate temperature, salt and feeding times. The casino set up a VPN to protect the tank’s data and ensure that communications were not interrupted by the commercial network. Anomalous activity detected
Transfer of 10GB outside of the network. No other company device had ever communicated with this location. Communication protocols are normally associated with audio or video. The tank’s communication patterns included occasional communications with company devices but this activity was consistent with similar IoT devices. Darktrace’s AI algorithms deemed the external data transfers to be highly unusual. The data was being transferred from the tank to a Finnish device. This was clearly a case of data exfiltration but it was far more subtle than other attempts at data theft. The attack was able to bypass the casino’s security tools by targeting an unusual device that had just been introduced to the network.
2. Architectural Firm Drawing Pads
Smart drawing pads were used by architects to quickly send drawings and schematics to clients and other staff members. The devices were connected to the office Wi Fi without the need to change the default login credentials. The devices were thus easily accessible via a variety of channels.
To gain control of the devices, the hacker had used default login credentials provided with the design pad software. These credentials, together with their public string for SNMP authentication were made publicly available on Shodan. This also revealed that the devices had open ports to HTTP, HTTPS and Telnet.
Darktrace discovered the vulnerability when hundreds upon hundreds of IP addresses from all over the world made thousands of SNMP connections with the devices over UDP port 16.1. Over 99 percent contained at least one “GetBulkRequest”, a SNMP operation that allows for large data retrieval. These requests were answered by devices that issued an exponentially greater number of replies via “GetResponse”, with some of these responses containing as many as 397,000 objects. In 64 cases, devices uploaded more than 1MB of data.
It is possible that the target IP addresses were spoofed. The IoT drawing pad sent hundreds of “GetBulkRequests”, from the spoofed addresses of the target networks. This forced them to send back more that 100 times as many “GetResponses.” This is a testament to the power reflection and amplification attacks. Although it is not clear what other devices were involved in this attack, even a small number IoT devices at an architectural firm were capable of generating an alarming amount traffic.
The targeted IPs belonged websites owned by entertainment and design firms, as well as governmental bodies. The security team at the firm was able to stop the damage from occurring by reporting the unusual SNMP requests as soon they started.
3. Global Food Chain: Infiltrated Refrigeration Systems
A major issue was encountered by a fast food chain. An error in their software could have allowed attackers access to the storage refrigerators and change the temperature. This could have led to widespread food spoilage. Recovering from such an incident could have devastating consequences for your reputation and finances. Darktrace AI discovered this vulnerability immediately after the technology was installed. The refrigerators were sending out mass-delivery spam email alerts. The company fixed the flaw before it was exploited by a would be saboteur.
[See: When Refrigerators Attack]
4. Boardroom Video Conferencing Unit
Data being dripped slowly over a long period of time is more likely not to be noticed, which was the intent of the attackers who broke into the systems at an international sports manufacturer.
The company’s new video conferencing equipment was exploited using an unauthenticated remote access tool. Small audio files were then leaked to an external server bit by bit. The attackers were very careful as they were playing a high-risk, confidential boardroom game. Individual leaks never exceeded 10 KB and were done within the office hours to avoid suspicion.
If the hack had been continued for a long time, it could have been very successful. Darktrace AI says that the video conferencing system’s behaviors were highly unusual. This is bec