It sounds silly to think that just wanting a more pleasant trip to the company refrigerator could put your business at risk. After all, what could a refrigerator possibly do to compromise your network security? Well, as it turns out, it could be a lot worse than you think. As we become increasingly enamored with the utility of technology, we often forget the vulnerabilities they bring. Our bedside alarm clocks of tomorrow could have internet access, and could communicate with our office computers to tell them what time we want to be at the office each day. The doorbell could notify you when the delivery person has arrived. Eventually, we could all be living in smart cities, with internet access available everywhere. And so on. This type of technology can be extremely handy—or it could make your life a lot more miserable.
Twitter In The Kitchen? Yes, Really... And Then Some
Have you ever read Twitter in the kitchen? Well, you probably have—most likely on your home network, on your mobile devices. Today, however, our personal and industrial devices are becoming increasingly interconnected as we discover more and more ways to share data and make use of the internet to help meet even our most basic needs. The refrigerator of tomorrow-or today, really-could well have a screen built into the door that provides news, weather and other informational updates. That's quite an upgrade for a space of your kitchen that was once so uninteresting that people would stick magnets there to liven the place up.
Refrigerators and other appliances used to have only one job - keeping your food cold, toasting your bread, and so on. However, it seems that more and more unlikely electronic devices are becoming internet enabled. You can find internet functionality on the most unusual devices, such as water bottles, baby changing stations, and toothbrushes. There's even an internet-enabled egg minder for your refrigerator, which connects to your wireless network to let you know when your eggs are going bad. (You might not be surprised to find out the reviews for this particular gadget are not exactly glowing.) Your home network has plenty of ways to offer increased functionality for even the most trivial objects.
The Internet of Things
This is called the Internet Of Things (or, IoT). The Internet of Things is a term used to describe otherwise ordinary devices that are connected to the internet, usually on your home network, and almost always via wi fi rather than by a network cable. The manufacturer combines the convenience and power of the internet with everyday appliances and devices to make those things more efficient and usable. Some of the more practical applications for these types of devices are wearable devices, or doorbells with attached cameras, for example. After all, it is nice to see who's at your doorstep remotely if you're away from home, and to have a smart watch to let you know when you've got an email. Furthermore, IoT devices are often used in industrial settings, enabling the device to be easily installed to collect data on immobile factory equipment without expensive and difficult installation procedures. Sensor data on costly engineering equipment can be extracted remotely and analyzed at a convenient location in the shop. Wireless routers can be conveniently placed to extend functionality to IoT sensors where cables just won't go. And so on.
Even though it's fun to think about egg minders and other trivial things to clog up your home network, Internet of Things gadgets aren't all overpriced, useless physical devices. In fact, they can be very useful in a lot of ways. Furthermore, IoT devices and especially IoT data aren't the most common attack vectors for hackers - yet. So, the Internet of Things doesn't represent a major security threat at the moment. But IoT systems do represent a growing vector for potential attack, and will be more so in the future. The forecast for total number of smart refrigerators, smart watches, and other IoT devices in the world by 2025 is well over 27 billion - that's a lot of devices, including ones you might not even know are Internet of Things-enabled in the first place! The more connected your office or home network is, the greater the risk cybercriminals pose. After all, the more doors there are in a building, the more chance one of them eventually is going to be left unlocked.
Your Refrigerator: Security Threat
The security concerns surrounding internet-enabled devices, such as this refrigerator, lie in their wireless access point. The access point is the mechanism that allows these devices to connect to wireless networks to access the Internet. After all, you can't run a network cable easily to your front door or to your toaster, but your home wireless network probably reaches it. Yet unfortunately, you probably don't spend a lot of time wondering about how to secure your home wireless network from attack, even though you should think about it! Most wireless routers aren't properly secured against attack, particularly ones used by private users on their home network. Often, owners do not even change the password to access the router's console. Imagine what a security problem this would be for your business if your office followed the same lax protocols that pass for home network security!
The problem gets more prevalent the more devices you own. If you own one laptop and one wi fi router, you can safely assume that there are two potential ways to break into your home network. But if you have one laptop, one wi fi router, a toaster, a smart television, a smart watch, three mobile phones, and a dozen other random wi fi devices connected to your wi fi at all times, that presents a lot more potential security holes in your network. In general, you can safely assume that the more access points that are connected to a network, the more difficult it becomes to manage office or home network security, and make sure that only the right people have access to what's on it. There are several reasons for this. One of them is familiarity with configuring these smart objects in the first place. Your Microsoft Certified Network Engineer who wears six different hats for your company might not be aware that the new toaster in the break room is constantly polling for wi fi networks and searching for incoming connections, or that the receptionist who unboxed the toaster last week decided to be ambitious and connected it to the wi fi network to see what it could do. Any compromised web enabled devices - no matter how innocuous - once they're on the network, they're a potential gateway for attacks. Wireless network security should be a primary concern for a business using these devices, particularly ones utilizing a full-on internet connection.
The Most Common Way An Attack Can Occur
When you're connected to a wireless network, the data you receive comes from the access point or wireless router you're connected to. With the right technology, someone on the same network could intercept the traffic, read it and even modify it. Here's an example: let's say you're at the airport and are trying to connect to your company's VPN network via the guest network. You make your connection to the airport guest network and now need to get through the firewall to reach your internal network. To do this, your computer or device has to talk to the firewall.
However, if a hacker is using a rogue device on the same network, your traffic could be passed on to his device instead. He can then connect to the firewall, before passing the traffic on to you. This way, he can see all the traffic sent to the firewall, and can use it to impersonate the firewall. This gives the hacker a very easy way to break into your wireless network and compromise your security systems.
Is It Really That Easy?
How easy can that be? Well, it’s possible. By their casual nature and the need for these devices to be simple for ordinary users to set up, manufacturers of smart home devices often don’t take basic steps to encrypt their traffic. Inexpensive IoT connected devices may not implement basic wireless network security procedures in their setup—for instance, forcing users to change the default wi fi setttings and admin password from the default settings provided from the router manufacturer.
Most users know to change the network settings on wireless routers and other obvious remote access points, but often would forget to do so on some more obscure connected devices. Besides all of this, consumer IoT devices often don’t have robust security measures built into their code, or poorly implemented security measures. For instance, Defcon 23 attendees (Defcon is a popular security conference in Las Vegas) discovered that a Samsung smart refrigerator failed to validate SSL certificates.
But why would a hacker want to know how many eggs you have in your refrigerator? Unfortunately, the potential implications are more sinister than that. Home network security is important, and extends to your business as well. Once a hacker has any access at all to a compromised device on your local network, a whole new world of options open up for malicious behavior if the hacker is sufficiently skillful. It’s like having a gate pass to a concert—you can’t get into the VIP section if you’re stuck in the parking lot, but if you’re inside the gates, you at least have a chance. In this case, the Samsung refrigerator's security flaws enabled the device to be used to execute man-in-the-middle attacks and steal credentials, such as Google credentials, and other device specific data such as the MAC address that could be used for further attacks. Imagine losing your email account password to your refrigerator, or letting your router's web interface or router firmware be compromised, and losing your entire network to a changed password!
It's Happened Before
It seems silly to think that a connected device such as a baby monitor or a water bottle could be at fault for a system-breaking hack. But a casino in the United States found out the hard way just how much water can pour through a little crack in the wall from poorly secured IoT devices and other sensitive entry points. Router security is no joke, and any point of entry can be enough for an enterprising hacker.
In the instance of the casino, an internet-enabled thermometer in a fish tank in the lobby ended up granting hackers the opportunity to break through the casino’s network security and steal personal data and information about their wealthiest and most ‘generous’ clientele. A simple security flaw in the device enabled the hacker to breach the wi fi protected access of the device, and then of the casino. Normally, casinos are some of the most secure locations imaginable, with cameras and security implementations everywhere. So as you can imagine, this was a shocking breach of privacy and confidential corporate data, and of course embarrassing for the clients whose losing ways were now a matter of public information. Imagine, an innocuous IoT device bringing down your company, all because basic security procedures weren't followed in various places. In this case, if that device had been offline, or on a completely segregated network access point, or router settings were adjusted properly, nothing would have happened.
Quality Isn't A Factor
Many IoT devices are produced cheaply, with little regard for security, and the manufacturers don't update their devices to account for regular security updates. Generally speaking for such devices, wireless connectivity is made to be simple rather than secure. That means that anytime there's a chance to connect devices to your company's wi fi, it could serve as an open door to a properly enterprising hacker. And once a good hacker is in, they're in anywhere they want to be.
Once they're online, hackers can use the machines on your network to perform distributed denial-of-service attacks. This is an attack that floods other devices with internet traffic. The attack could be directed at devices within your own company, if your company happens to be the target of the attack, or it could be directed at an entirely external target (for example, the hacker simply wants to leverage your critical infrastructure to launch an attack on some other target.) Your data could also be at risk, as we've covered in many other blogs. Your router's firmware could be flashed to incorporate a hidden flaw. And so on. In short, when your network's security is compromised, a lot of bad things can happen.
Solving The Problem
The solution to this problem is actually quite simple: check the documentation for IoT technology for each device you bring into your network, and turn off the wi fi and disable remote access on smart devices that you don't want to connect to your network. If you don't need Twitter on your refrigerator, fine - don't allow it. If you absolutely have to have such devices connected to your wi fi network for one reason or another, it's better to have a separate wi fi network for these. Be sure to exercise good IoT device management procedures by using unique passwords - don't use the same password for your toaster as anything else! - or by disabling remote administration of these devices entirely. You could even enable the MAC address filtering option available on most routers to specifically exclude traffic from devices other than known ones. Using the internet safely is a matter of securing your internet connected devices from top to bottom. If you don't need to use an IoT system, you should just disable it to be safe.
Beyond that, you can bolster your company’s IT security by maintaining good IT practices on the devices and equipment you have control over. Of course, home network security is a little bit out of your control. You’ll be hard-pressed to demand your employees disconnect their faithful Alexa on their home network, but you’ll want to secure your company laptops with the best antivirus and firewall software available, and ensure your router's firmware is updated and patched. You’ll want to remind your employees to make sure to update their laptops with the latest upgrades and security fixes for Windows, available every month or more. Still, when it comes to your IoT devices, at least the ones that you aren't intending to really use as IoT devices, it's best not to let them online in the first place. Yes, it's really as simple as that. If you don't need to read Twitter on your refrigerator, then don't.
Already achieved Cyber Essentials certification and wondering what's next? Discover how to maximize the benefits of your certification and strengthen your cybersecurity further. Click here!
Want to optimize your IT efficiency and enhance security? Discover the advantages of a fixed-rate pricing model for IT services and how it can benefit your business. Click here!