This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
From cars to home electronics to medical machines and industrial sensors and controls, all types of devices are gaining the ability to communicate. Generally this is known as the Internet of Things (IoT), although Cisco refers to it as the Internet of Everything (IoE).
IoT is enabled by several factors, including: the ability to add inexpensive sensors and communication capabilities to all types of devices; the adoption of IPv6 as a standard communications protocol, thus enabling billions of devices to be uniquely identifiable; and the ubiquitous nature of communication channels such as WiFi, Bluetooth, cellular, satellite and wired networks.
IoT is sure to bring a lot of value to businesses. GE estimates that the “Industrial Internet” alone has the potential to add 10 to 15 trillion dollars to global GDP over the next 20 years. Cisco forecasts $19 trillion in global economic value created by IoE by the year 2020. In terms of the sheer numbers of Internet-connected devices, ABIresearch forecasts that the number of devices will exceed 40 billion in the next five years.
That's a lot of devices creating a lot of value, and while most of those devices will perform some type of beneficial activity, is isn’t all rainbows and sunshine.
Even as IoT grows exponentially, the ability to monitor and secure these devices lags far behind and, in many cases, is completely non-existent. Cyber spies and cyber criminals of every ilk will surely parlay this technology into a new threat vector, which network visibility company Pwnie Express calls "the Internet of Evil Things" (IoET). Malicious actors are already utilizing IoET to surreptitiously steal data and information, to spread malware, to create botnets, to launch denial of service attacks, to commit industrial sabotage, and to infiltrate public and private networks.
Pwnie Express recently published the industry report The Internet of Evil Things: The Rapidly Emerging Threat of High Risk Hardware, which outlines threats from all sorts of rogue devices, including:
- Rogue/unauthorized/evil wireless access points
- WiFi/Bluetooth hacking gear
- Hacking/pentesting drop boxes
- Mobile/cellular hacking gear
- Wireless keylogger hardware
- Covert micro-computing devices
By operating at the lowest layer of the network stack, rogue hardware can compromise all other layers of defense. Today’s rogue devices can circumvent Network Access Controls (NAC), domain authentication, network and wireless intrusion prevention systems (IPS), application aware firewalls, high security wireless deployments and even HTTPS/SSL encryption. A single rogue device can expose a tremendous amount of sensitive information to a cyber criminal, including sensitive data, passwords, keystrokes, SSL certificates, and even entire VoIP conversations.
According to Pwnie Express, the top device threats generally fall into one of three categories:
- Shadow IT and high risk BYOx devices
- Unsecured and vulnerable IoT devices
- Intentionally malicious hardware now available as commodity items
The first two categories seem pretty obvious in terms of the kind of devices in question. You have the usual suspects, like jailbroken smartphones used for BYOD, and insecure smart TVs and hackable smart meters. It's the third category of malicious hardware that is pretty scary. Pwnie Express calls it "plug and play espionage."
Devices in this category used to be expensive and highly specialized; now they are commodity items that can be purchased for as little as ten bucks. Here's just a partial list of the type of devices mentioned in the Pwnie Express report:
- Purpose built, application specific devices designed to capture passwords, credit and debit card numbers, PINs, keystrokes and confidential or proprietary data
- Devices designed to breach WiFi networks, wireless access points, wireless/mobile client devices and Bluetooth devices
- Devices that compromise the security of cellular networks, cell towers, base stations, cellular and mobile devices, SMS and text messaging services and pagers
- Devices designed to attack other commonly used RF technologies, such as RFID and NFC, Zigbee, Z-wave, GPS, satellite, Wm-bus, Dash7 and 6LoWPAN
The report says that, once deployed, malicious hardware devices can operate for weeks, months or even years without detection. They are often remotely controlled by covert channels, WiFi, Bluetooth, 4G/LTE cellular and sometimes even text messages. Powered by AC, USB, PoE or battery packs, many of these devices are small enough to hide almost anywhere. In the wild, they’ve been spotted under desks, behind baseboards and wall jacks, and inside desk phones, power strips, Ethernet couplers, UAVs/drones and even custom 3D-printed enclosures.
Pwnie Express says that combating IoET cannot and should not be a single company initiative. The company is calling upon security professionals to: help identify and catalog all known IoET devices in a referenceable public database; formalize an industry standard taxonomy and classification system for IoET devices, including a risk rating methodology; and assess the scope, prevalence and impact of IoET devices in real-world network environments.
If you'd like to join the "IoET SWAT Team" go to www.internetofevilthings.com to learn how you can get involved.