Saturday, December 10, 2022

The Top 3 XIoT Attacks You Need To Know About

 


I was just talking to one my old grad school buddies last night on the phone, and we were both discussing just how fast this year has gone.  He mentioned that he still has some shopping to do.  So, this brings up the topic of gifts for the Holidays. 

True, everybody has their own style of shopping and they know what their family and friends want, but it seems to come down to two things:  Gift cards and electronic items.  In terms of the latter, I have stayed out of the loop of what the newest things are, except for what I see in the Cyber headlines.

It seems like anything that has the term “Internet of Things” (or IoT) branded into it, seems to be a popular choice.   I surmise that the reason for this is that it brings up images of conveniences, and in some ways, it even gives one the image of stature, by keeping ahead of the neighbors. 

But honestly, while it may be great to have your coffee pot, toaster, or even car started by Siri or Cortana, there are a lot of disadvantages to it as well, especially from the standpoint of Cyber.

For one, by having so many interconnected devices in your home (which gives birth to the name “Smart Home”) you are merely opening the attack surface that much more for the Cyberattacker.  For instance, many of the communications that take place between your gadgets are still sent in what is known as “Plaintext”. 

Nothing is encrypted.  Second, it is much easier for the Cyberattacker to launch remote attacks against your gadgets, and even control them thousands of miles of away.

This is the fear now are seeing with Smart Cars and even the latest versions of airplanes that have been produced by both Airbus and Boeing.  There is so much technology and electronics that are packed into them that it is much easier now for a hacker to break into them, and literally steer them off course. 

Back in the days of traditional analog technology, this probably would never have been a problem.  But now it is.

Now, there is even a greater problem.  These IoT gadgets that you can get at the store are now making their into the IT and Network Infrastructures of Corporate America.  This has given rise to an even newer term, called the “Extensible Internet of Things”, or “XIoT” for short.  Here are some examples, that you the CISO and your IT Security team be on the look for:

1)     Connections to the endpoint:

Although organizations are doing a much better job of protecting their endpoints (which in my books are the points of origination and termination of the network lines of communication), some are still not, and the Cyberattacker knows this.  Thus, it becomes an easy point of access for them to enter quickly and covertly.  But now for example, suppose your endpoints are well fortified, if you introduce an IoT device into your infrastructure, it could disable what you have already worked so hard to made secure.  Why is the case?  Well, network security tools have been designed already to be compatible with endpoint security technology.  This is not the case with IoT stuff, because there is hardly any security features installed into them to begin with.  The moral of the story here is don’t connect any device that you are not familiar with into your IT/Network Infrastructure.  If you have to, always test the device and the connections in a sandboxed environment first.  Technically speaking, this kind of attack, is known as a “Pivot Point Attack”.  Back in 2019, Microsoft witnessed the first kind of this attack, where a Cyberattacker went from a VoIP system, then to all of the printers in a company.  More information about that can be seen here:

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

2)     Data Theft:

When one hears this term, they often think of theft from a database of PII datasets.  While this is the traditional way of looking at it, it is important to keep in mind that data can be anywhere, for example, even in your copier, printer, or even digital fax machine.  One of the industries most prone to this is the healthcare one.  Just about every medical device that is used to conduct an examination on you will contain some kind of data on you.  Also, it is this industry that tends to use more IoT based devices than some others.  Because they are also connected to other medical devices, the IoT stuff will also hold some sort of data within them.  So in the mind of the Cyberattacker, why go something that is harder to get into, like a CAT scan machine, when I can easily gain a foothold with an insecure IoT device and exfiltrate data that way?

3)     A way to keep coming back:

Once a Cyberattacker has a found a way in, they will want to stay in for as long as possible.  Eventually they will leave once they collected all of the prized possessions that have.  But will they come back again?  More than likely yes, but not immediately.  They will probably go after other targets, then come back.  Also, given how easy it was to penetrate through the IoT device, they will probably use the same entry vehicle once again, to see what new things procured and deployed.  Once again here, try not to use an IoT  based device in your organization unless you absolutely have to.  It’s just one less thing to worry about.  Also, it could be the case that the Cyberattacker could even find a home in the IoT device itself to camp out in.  These kinds of attacks are known as “Persistence Attacks”.

My Thoughts On This:

There have been attempts by the states to introduce legislation in order to make vendors instill a baseline of security into their products.  One example of this was the one passed and enacted in California a few years ago, but nothing came out of it, because it was deemed to be broad in scope. 

As I have mentioned 2x times in this blog, if you can, avoid implementing IoT devices into your IT and Network environments.

And if you have to, test them out thoroughly before they are moved out into production.  Also, remember to change the default settings on them that fits your own security requirements, do not rely upon the vendor settings, as the will provide no protection whatsoever!!!

Also, IoT security deserves the same amount of attention like anything else.  It should not receive any lower priority, rather, it should be given an elevated status.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...