Hacking the Internet of Things
Computer systems that fall into the Internet of Things (IoT) include everything from home alarm systems to manufacturing equipment to coffee pots and pretty much anything in between. Even automobiles can now be hacked as you’ve likely heard about in the highly publicized hack against a Jeep Cherokee in 2015.
Cisco Systems has estimated that the IoT will grow to 50 billion devices by 2020! Perhaps this is why all IPv4 addresses are now gone. That’s probably not a good thing for most people, but it certainly sounds like job security for those working in this industry.
If you’re going to lock down IoT systems, you must first understand how they’re vulnerable. Given that IoT systems are not unlike other network systems (i.e., they have an IP address and/or a web interface), you’ll be able to use standard vulnerability scanners to uncover flaws. Additional security checks you should run on IoT systems include:
What information is stored on the system (i.e., sensitive customer information, intellectual property, or biodata from devices such as Fitbits and Apple Watches)? If systems are lost or stolen, is that going to create business risks?
How is information communicated to and from each system? Is it encrypted?
Are passwords required? What are the default password complexity standards? Can they be changed? Does intruder lockout exist to help prevent password cracking?
What patches are missing that facilitate security exploits? Are software updates even available?
How do the systems stand up under vulnerability scans and, even more so, simulated denial of service attacks?
What additional security policies need to be in put in place to address IoT systems?
Just like any other system in your network environment, IoT systems, devices, and widgets (or whatever you call them) need to be included in the scope of your security testing. If they’re not, vulnerabilities could be lurking that if eventually exploited can lead to a breach or potentially even more catastrophic situation.