As new laptops, mobile phones, WiFi routers, smart TVs, tablets, and other internet-connected holiday or year-end purchases make their way into workplaces, IT admins and cybersecurity professionals face the annual challenge of securing those devices. This year the scope of allowing new internet-connected devices into organizational settings is compounded by the recent vulnerability crisis posed by the Log4Shell vulnerability.
This vulnerability resides in the Java-based Log4j 2 logging utility, a ubiquitously deployed open-source tool that affects big and small software makers, including software powering internet-connected devices. With a simple, specially crafted string, the Log4Shell flaw can allow malicious actors to run unauthenticated, remote code execution on hundreds of millions of devices, opening the door for mass-scale ransomware and other malware deployments. Attackers have noticed and are rapidly scanning devices and launching exploits in an increasingly hidden manner.
Even before Log4Shell vulnerability emerged, internet-of-things (IoT) devices had already vastly expanded the attack surface for homes and businesses alike, serving as conduits for all kinds of digital threats, including ransomware. As far back as 2016, researchers at Trend Micro discovered that Android mobile screen ransomware called Flocker had over 7,000 variants capable of locking intelligent TV screens.
Malware, including ransomware, has infiltrated or been demonstrated for many devices, including smart thermostats, voice-activated speakers, garage door openers, drones, baby monitors, coffee machines, and even digital picture frames. In one of the more extreme cases of IoT hacking, researchers at Darktrace discovered that a casino had been hacked through a PC-connected sensor in its fish tank.
Not only do IoT devices leave networks vulnerable to malware, but they can also be used to amass computing and attack power for malicious botnets. IoT devices were famously used in the Mirai botnet, which in 2017 launched powerful distributed denial-of-service (DDoS) attacks on major websites using millions of compromised internet-connected devices.
More recently, the Mozi peer-to-peer botnet exploits weak passwords on network gateways and digital video recorders to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution. As Microsoft’s IoT security researchers documented earlier this year, Mozi has gained persistence on Netgear, Huawei, and ZTE routers, enabling bad actors to perform man-in-the-middle attacks to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities.
Keep and maintain accurate asset inventories essential for IoT devices
Countless other examples of threat actors exploiting IoT devices underscore the threat that these devices can pose. The real question is: how can organizations best secure their devices and those of employees who bring new devices into brick-and-mortar or virtual, work-from-home office spaces?
From a cybersecurity risk management perspective, any network manager’s single most critical priority is to keep and, equally importantly, maintain an up-to-date and comprehensive asset inventory. An accurate and current asset inventory is crucial to protecting internet-connected devices, along with all of the other assets and data of the organization. As the old cybersecurity adage goes, you can’t protect what you don’t know you have.
“Asset inventory and asset monitoring are definitely mandatory,” Dr. Andrei Costin, CEO, and co-founder of IoT firmware security company Binare.io, says. Another crucial step to securing IoT devices is to check for software updates for these devices. “This is not an easy thing to do because maybe the devices do not support automated updates.”
This does not happen on most IoT devices, particularly consumer devices, Costin says. “It’s kind of a blind spot for many IT and OT teams across organizations. They have an asset inventory, but they cannot know if it’s the latest version or if there are any software updates. It has to be done manually or in some kind of unorthodox way.”
Network segmentation and SBOMs are other essential IoT security tools
Employee personal devices should theoretically be segmented on the network in a way that keeps them far away from the most sensitive and highly prioritized assets. But, network segmentation is a complex challenge for most organizations to accomplish effectively. “Segmentation is much harder in practice,” Costin says.
IoT devices are particularly vulnerable and exposed to the Log4Shell vulnerability because they are not easy to patch. Moreover, it’s challenging to check the software components in the devices to determine if the Log4Shell vulnerability is present. Binare.io has already found the flaw in a range of TP-Link Wi-Fi networking equipment.
Software bills of materials (SBOMs), which list individual components that go into making up any piece of software and operate as “ingredient lists,” could if universally adopted, go a long way to helping organizations know what’s inside their IoT devices. Today SBOMs are not available widely used or available. But the federal government’s National Telecommunications and Information Administration (NTIA), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST) are working to make SBOMs a reality.
Cynthia Brumfield is the author of Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework, which spells out the essential risk management steps organizations can take to make their assets more secure, including asset inventories, network segmentation, and SBOMs. She also runs a cybersecurity news destination, Metacurity.