As I have said before, the Internet of Things is going to be a bit of a security ‘challenge’. Here is just one simple example.
The security company Rapid7 analyzed a number of home video baby monitors. You know, the kind where you can put a monitor in the bedroom and you or the baby’s grandparents can watch little Sammie from half way around the planet. Well, 10 out of 10 failed the security test.
My curiosity got peaked after a story was posted about this guy who bought one of these monitors on Amazon but then returned it. He had, however, already installed the software on his phone and a few days after he returned it, he started getting email alerts from the monitor. Curiosity got the best of him too, so he opened the software and lo and behold, he was looking into someone’s bedroom and things most people don’t want displayed on the Internet. Apparently, the vendor had no security, by default.
What are some of the key takeaways from the paper?
- It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel.
- “Finally, this paper also discusses the insecure-by-default problems inherent in the design of IoT devices, the difficulty for vendors to develop and deliver patches, the difficulties end-users face in learning about, acquiring and applying patches once developed and the friction involved in reporting issues to vendors in a way that is beneficial to end-users.”
- “IoT devices are actually general purpose, networked computers in disguise, running reasonably complex network-capable software. In the field of software engineering, it is generally believed that such complex software is going to ship with exploitable bugs and implementation-based exposures.”
- The presence of devices that are insecure by default, difficult to patch, and impossible to directly monitor by today’s standard corporate IT security practices constitutes not only a threat to the IoT device and its data, but also to the network to which it is connected.” … Today, employees’ home networks are rarely, if ever, “in scope” for organizational penetration testing exercises, nor are they subject to centralized vulnerability scanners.
Before you say that you don’t have any baby monitors in your office, think about this. Many employees work from home – either at night or on a regular basis. That baby monitor is on the same WiFi connection as your corporate laptop. The baby monitor is a reasonably sophisticated networked computer. Your employee’s home network is likely no where near as well protected as most corporate networks. Just connect the dots.
While some hacking is targeted, most hackers just troll to see what they can find. Just like Target was breached by a small refrigeration maintenance company, your company could be hacked by a rogue baby monitor.
Information for this post came from Rapid7.