New research led by "ethical hacker" Samy Kamkar highlights common enterprise IoT devices that are hackable within three minutes.
The report from ForeScout delves into the specific vulnerabilities of seven IoT devices found in enterprise environments. Attackers can easily recruit an army of IoT devices to launch a wide-scale distributed denial-of-service (DDoS) attack due to the volume of these devices and their ease of infiltration.
Pedro Abreu, ForeScout's chief of strategy, tells us as more IoT devices are connecting to the enterprise, they are becoming the "path of least resistance" for hackers to gain access to the network.
"Protection in the age of IoT is all about visibility," he says. "Organizations need the ability to see devices the instant they connect to their network and then control their access based on the device security posture and behavior."
Kamkar's research focused on seven common enterprise IoT devices, including IP-connected security systems, smart HVACs and energy meters, video conferencing systems and connected printers, among others. According to his observations from a physical test situation and analysis from peer-reviewed industry research, these devices pose significant risk to the enterprise because the majority of them are not built with embedded security. Of the devices that were fitted out with rudimentary security, many were found to be operating with "dangerously outdated firmware."
Key findings of the report include:
- The identified seven IoT devices can be hacked in as little as three minutes, but can take days or weeks to remediate.
- Should any of these devices become infected, hackers can plant backdoors to create and launch an automated IoT botnet DDoS attack.
- Cyber criminals can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment.
- With VoIP phones, exploiting configuration settings to evade authentication can open opportunities for snooping and recording of calls.
- Via connected HVAC systems and energy meters, hackers can force critical rooms (e.g. server rooms) to overheat critical infrastructure and ultimately cause physical damage.
"Our research involved a physical hack into an enterprise-grade, network-based security camera," Abreu said. "The camera was running the latest firmware, yet we were able to hack into it using the very same method that caused the Dyn DDoS attack [last Friday]: exploiting a default password. The most concerning part about this was that we were able to plant a backdoor that could be exploited even after the password was fixed and patches made."
The IoT footprint continues to expand, showing little to no signs of slowing down. Gartner predicts that 20 billion connected devices will be deployed by 2020, with as many as a third of these sitting unknowingly vulnerable on enterprise, government, healthcare and industrial networks globally. In turn, hackers are now easily able to pivot on insecure devices into the secure network, and ultimately access other enterprise systems that could store bank account information, personnel files or proprietary business information.
— Edward Gately, Contributing Editor, Channel Partners
We've secured a generous 20% discount to attend IoT World in Dublin for all IoT World News readers! Just use code IOT20 when you register to secure your discounted place.
Register now >>