From fish tank thermometer to the ‘Internet of Threats’

All security professionals’ worst nightmare is that they overlook the signs of a cyberattack and are not able to spot when they have been hacked. Today, one third of cyberattacks are a result of unanticipated, not-yet-known hacking methods, and we live in the age of connected devices that truly represent the “Internet of Threats” with all hundreds or thousands different devices, each manufactured by multiple vendors, using multiple platforms, some of them correctly patched while some not – all connected to a corporate network where organisations store their most sensitive digital assets. And with developments in 5G technology, you can surely expect an increase in the number of connected devices at home, in the car and in the office. Any of these devices can potentially be a source of a data breach, even a fish tank.

While you may think that I am just using a poetic exaggeration to grab your attention, I have an example to present to you: a fish tank was actually identified as a source of a data breach in a casino. In 2017, a hacker had scanned casino IP addresses searching for a device that they could control. The scan revealed a smart thermometer attached to a large aquarium that shared temperature data with the employees responsible for the aquarium’s upkeep. The thermometer needed a network to connect to in order to share its data, and which one did it use? You guessed it, the casino’s private network.

After the device was hacked, the attacker gained access to the casino network and stole private data on casino customers, uploading the data to their server overseas. The above story should paint a picture in your head of why this is truly the “Internet of Threats”.

There are more threats than you think

Threats are truly all around us. Technology is everywhere: we have digital assistants that are constantly listening to us, video game consoles with cameras, digital locks on our doors, and the list goes on. While you might be thinking that since you do not have such devices in your office, there should be nothing to worry about – that is where you are wrong. The office is filled with connected devices: from networked printers with Wi-Fi capabilities to security systems linked to external vendors. Most of the time, we are not fully aware of all of the IoT devices that are connected to the private network, and this can lead to such dangerous situations.  IoT is broadly considered to be anything in your domain that could possibly connect to the internet, or even just your network. To say it’s time to pay attention to this threat is truly an understatement. It is already happening now.

Back in 2016 in Singapore, StarHub, a major telecommunications provider in Singapore, was a victim of massive DDoS attacks via compromised IoT devices against its Domain Name System (DNS) infrastructure. It is reported that two attacks were carried out through home broadband networks, causing huge volumes of traffic on the DNS server, resulting in the inability of web access for about two hours.

In 2018, the Cyber Security Agency of Singapore (CSA) released a report with six anticipated cyber trends that will most likely occur as we transition into  higher levels of connectivity after Singapore’s worst cyber-attack – the SingHealth data breach. It highlighted that through IoT, smarter buildings and connected systems may be exposed to greater risks of attacks or exploitation to malware.

Why is this happening?

The first step towards mitigating such risks is to understand how and why these devices are a threat to begin with.  For many manufacturers, the notion of security might come as an afterthought to innovation.  For instance, if a company is producing hundreds of thousands of network-connected thermometers, the notion of installing and managing unique encryption keys between those devices might seem ridiculous and expensive.  Sometimes the security is there, but when mismanaged, it can be likened to leaving the front door not only unlocked but wide open.  A common and often forgotten example of this is when you install your new networked printer in your house and ignore the fact that the printer itself has a Wi-Fi router installed that you did not disable and forgot to change the default access password. The odds that the printer does not have a vulnerability for attackers to exploit and access your personal file is a very high risk to completely ignore.

In a world of best intentions, your corporate brand and the private data of your users is simply too valuable to play games with. We must go the extra mile and do everything we can to make sure all devices are indeed secured – so how exactly do we go about doing this? 

How to address the internet of threats

Once we are aware of possible threats, we are more diligent about the way we interact with teams, third-party partners, or strange devices potentially connecting to your network. This is where you should be asking as many questions around security as possible to those who connect to your network to see if they can disable certain network features you know your company will not be needing. You should also be asking about the possibility of having enhanced security on these devices where a user must own a signed certificate that proves their ability to connect. Most devices these days do support certificate-based authentication and that might not be a bad idea to embrace.

Consider setting up a public network specifically designed for guests or devices that have no access to your company’s internal assets – such as the thermometer that started this story. It is very difficult to tell if these IoT devices are creating a vulnerability on your network, so why would you allow such an unknown and unpredictable threat onto the corporate network to begin with?

Many have begun to realize that there are some very significant similarities between networked devices and users. In fact, an entire boutique industry has sprung around the notion of IAM for IoT.

Think of it this way, a device’s lifetime in your domain follows many common principles of Identity Access Management (IAM):

  1. An individual device can be provisioned and recorded into the IAM system
  2. A device is often associated with a specific account or credential for obtaining access
  3. A device’s credential should be restricted in what it can and cannot have access to on the network
  4. A device’s account should be closely monitored and observed via analytics for unusual behaviour
  5. It should be possible to remotely shut down a device’s access without unplugging it from the network

With more households in Singapore equipped with IoT devices such as smart appliances, these unprotected applications are presenting themselves as attractive targets for hackers. What’s more, many IoT device users do not change the default login credentials, which give rise to incidents resulting in Singapore named in the top five destinations for IoT attacks.

To put it simply, knowing is half the battle. For too long now, users have blindly plugged devices into any network available without ever considering the consequences of doing so. Realistically, who would have ever thought that an aquarium thermometer could be the source of a breach. But those days are long gone: it is time to do a review and get those devices secured and managed.