There are currently just a hair less than 7 billion people on earth. For comparison, there are already 14.4 billion Internet of Things (IoT) devices (including XIoT or Extended Internet of Things). And by their very nature, IoT devices are connected, so even the harmless devices equipped with “gimmick” WiFi connections can act as a portal to pretty much everything else. For hackers, this means IoT devices are likely the next golden ticket to all the information on your laptop, your work system, your business, and your life.
Claroty, a cybersecurity specialist in IoT protection, recently published a report on XIoT security. We sat down with Sharon Brizinov, Director of Security Research at Claroty, to find out if XIoT devices – combined with basic human nature – could represent a next-generation system weakness.
Why the tide rises
We understand that XIoT vulnerabilities are increasing. Is that just because there are more XIoT devices in general, or is there more to it?
There are four answers to that. First of all, yes, there are more devices connected every year, so there is a natural wavefront – more devices means more vulnerabilities under normal circumstances. I am sure you are using more and more devices. Every year you have more phones, your fridge is connected to the internet, you know, everything is getting smart and connected to the internet. So yeah, definitely, we’re seeing a lot more IoT devices. And that’s why attackers are interested in exploiting them.
The second reason is that hackers love new challenges and the challenge of IoT security is becoming more and more interesting for attackers. So they try to exploit more devices. In doing so, they encounter various weaknesses. Most of them are low-hanging fruit, so they report the weak points as well. And that’s why we have more vulnerabilities overall.
The third reason is that vendors are producing more IoT devices and many of them are not sufficiently secured. They are produced and manufactured with little or no security assurance and in many cases they are misconfigured. This gives an attacker an ability and the option to exploit it.
But the fourth reason is simple: many users don’t take the time to properly backup their devices. And so attackers get more options and more chances to exploit them.
The human factor
You can see that from a manufacturer’s perspective, there is a disincentive to rely too heavily on security in order not to make it too expensive to sell. But again, there’s a human element at work here – people who then buy these devices and say, “This is a fridge – why do I need to secure my fridge?”
Yes, of couse. I can attest to that from my own experience. I bought a new washing machine that came with Bluetooth connectivity and an iPhone app. In addition, my wife bought a toothbrush with Bluetooth connectivity that connects to her iPhone. Now she can track how many teeth she brushes each day and for how long. So you know, it’s getting almost ridiculous what devices are connected to the internet, and the possibility that an attacker could now take control and run ransomware on my toothbrush is just hilarious. Accordingly, in many cases, asset owners are surprised and think they don’t need to secure their new technology. But that’s part of the human element – and as technology advances, they need to understand that, yes, from the toothbrush on up. You must treat and secure every connected device in the same way.
We wanted to ask – what exactly can hackers do with the data they get from hacking a toothbrush?
Aside from the basic hardware hacking challenge? That’s what people don’t understand enough. Sure, an attacker can hack a toothbrush, and it sounds fun. But the toothbrush is connected to the wifi. And the WiFi is connected to the entire smart home.
They could then use other devices from the toothbrush – and This is the real danger, because everything is hyper-connected. And in a business context, from one device you can work out your position in the network from an attacker’s perspective and attack other devices. and This is the risk we are trying to mitigate.
The open door
So the fundamental point of XIoT devices—their connectivity—coupled with manufacturers’ misconfiguration and owners’ laziness in ensuring they’re properly protected—is like a relatively unlocked door for attackers to wreak havoc?
Exactly. Because remember that. How much time would a seller invest to protect the toothbrush? Not very much. And I would assume they wouldn’t test it for vulnerabilities either. So let’s say the toothbrush is not secured. And it is WiFi connected. And somehow the attacker managed to hack the toothbrush. Then they could eventually switch from the toothbrush to other devices. And that entry point, that low-hanging fruit for the attacker is what they need to exploit other devices. That’s the real danger.
We will never look at our smart toothbrushes in the same light again…
In Part 2 of this article, we learn what asset owners, from people with toothbrushes to companies with warehouses full of IoT sensors, can do to mitigate the rising tide of IoT-specific security threats.