Internet-connected devices can introduce considerable security risks, but what are the highest risk IoT devices for enterprises?
According to a new report from cloud-based information security company Zscaler, the highest risk IoT devices for enterprises are surveillance cameras – devices that are purchased and installed to decrease risk.
Unfortunately, while surveillance cameras can be used to reduce the risk of theft of equipment, they can actually increase the risk of data theft. Surveillance cameras have been discovered to contain numerous security vulnerabilities that can all too easily be exploited by hackers.
As we have seen in recent weeks, some models lack even basic security protections, which has allowed hackers to add them to botnets capable of delivering devastating Distributed Denial of Service (DDoS) attacks. Those attacks – some of which have reached 1 Tbps – have taken down large sections of the Internet and have been used to attack a wide range of targets including the Krebs on Security website and French hosting company OVH.
According to Zscalers director of security research, Deepen Desai, “I would consider the entire video camera category as particularly dangerous.” The cameras are by far the highest risk IoT devices for enterprises. Desai used the Flir FX wireless HD monitoring camera as an example of the risk that these devices can introduce.
He explained that his researchers discovered the camera communicated in plain text and did not use any authentication tokens. The researchers also discovered that firmware updates were not being digitally signed. This means a hacker could introduce custom-crafted malicious firmware with ease.
Unfortunately, this is only one of a number of possible examples. An Axis security camera was fond to use a remote management console with only the most basic of HTTP authentication, leaving it susceptible to man-in-the-middle attacks. The Foscam IP surveillance camera records videos and streams them to users’ smartphones and desktop computers, yet user credentials are transmitted in plaintext over HTTP.
Many organizations have also been found to be using devices meant for the consumer market. Those devices include a host of vulnerabilities that could easily be exploited by hackers. This would not only mean the devices could be added to botnets such as Mirai, vulnerabilities could be exploited to gain access to the networks to which the devices connect.
Zscaler determined that none of the enterprise IoT devices analysed for the study had been added to the Mirai botnet, but that does not mean that the devices are immune from attack. Desai recommended enterprises restrict the use of IoT devices as far as is possible and take steps to make the devices more secure. External ports should be blocked, while the devices should only be used on isolated networks. The latter being essential to protect against lateral movement.
Default configurations should also be changed and IoT devices should receive regular firmware and security updates. It is all too easy to forget these devices and not include them in patch management policies and procedures.