In the past few years, the rise of Internet connected “things” gave rise to a new term – the “Internet of Things” or IoT for short. While this is not a new idea – many will remember the “Internet Fridge” which appeared quite a silly concept in the 90’s, the emergence of a few use cases has driven the explosion of IoT connections online, these include:
- TV’s – where the rise in popularity of streaming service such as Netflix and the available bandwidth to do so becomes more affordable
- Home security systems, allowing people to monitor their own alarm and camera systems from their own devices
- Call home VPN’s on home NAS storage systems
- “Smart” houses, where elements of building management systems, previously only available in large commercial premises are sold to the consumer market
- Many many others
On the surface, this all sounds reasonably benign right? Monitoring my house from my phone sounds like a great idea yes? In an ideal world, I’d agree. It’s all value add to the expensive Internet connections we pay monthly fees for. Why not get as much out of your connection as possible? Why pay a security monitoring firm when you can do it yourself?
If you are an IT savvy individual, then you’d know that there’s probably best practice approaches to secure any device that you give a public IP to, yet the reality is that Joe/Jane Public isn’t IT savvy, and Joe/Jane public also works in your business. The extent of the problem is illustrated quite well by websites like shodan.io
Shodan
Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.
it looks like this
if you create an account, the search capability starts to reveal itself with top search categories:
Unsecured IoT is rife
The more creepy side of IoT includes thousands of unsecured home security cam feeds, including some that are clearly not intended for broadcast.
Industrial Control, we look after that don’t we?
It sure doesn’t look like we do… What’s even more concerning is the presence of thousands of industrial control systems. These are PLC/SCADA systems publicly available, by the thousands. Some with access to the control systems directly including complex processing machinery.
Why should I care about this though?
While on the surface this may seem of little relevance to your business, there’s a few good reasons you may want to rethink that stance. This is a shining example of the EULA or Next, next, next problem. Nobody ever reads an end user licensing agreement and most people will keep on clicking next next next until the install is complete. Where’s this come into play for your business? As soon as someone goes out and procures a “Smart” something and plugs it in, that’s when. Before you know it, you have a shadow IT problem.
What can be done?
You have several tools at your disposal to deal with the IoT problem, these include:
Governance
Have a device policy and educate your users about it. Measure the effectiveness of your policies.
Monitoring
Regularly Sweep your internal environment for rogue devices.
Access Control
Authenticate all devices to your network and reject unknown connections.
Perimeter
Know what is being published at your perimeter.
Footprint
Scan your external IP’s for unsanctioned services being offered
Footnote: Please note that no systems were actively accessed as part of developing this article. The cam screenshot was taken from google images. Iocane does not suggest that you engage in reconnaissance activities on systems that you are not authorised for.
Any actions you take as a result of this article may be subject to legal ramifications and be in breach of the telecommunications act. Think carefully before you act.