Nov 24, 2019It's no secret that a lot of time and money has been put into making sure your office computer and smartphone are secure from hackers, but what about other connected devices? The Internet of Things (IoT) has opened up a whole new pathway for hackers to infiltrate company networks. Any device connected to the internet through a company's network could be a potential target.
For example, in 2015, researchers demonstrated an attack against a smart refrigerator that exposed Gmail login credentials. Any smart device has the potential to become a hacker's Trojan horse that makes its way inside a company's seemingly secure network.
We're used to seeing attacks against network servers, routers and even printers—recently proved by a group of Russian hackers who managed to get into Microsoft's corporate network via an office printer. At-risk devices that are often overlooked, however, are smart devices whose processors and controllers tend to be smaller and more low-cost. There are now smart coffee makers, smart computer monitors with video cameras, smart lights, and smart locks that can both access and be managed through the internet. The security inside these devices is often minimal and sometimes nonexistent, which makes them easy targets for bad actors.
The main reason these devices are insecure is cost. It takes time and engineering effort to build strong security into products. This usually requires adding hardware and software to a device, which increases manufacturing costs. Devices thought to be reasonably secure when shipped can become insecure later on, as new attacks and vulnerabilities are constantly being discovered. Mitigating this requires building the ability to update security methods directly into the device—which, again, adds cost. Finally, customers typically don't want to pay more money for a more secure product. They tend to prefer new features to strong security. All this prompts manufacturers to place a low priority on product security.
So what happens when a smart device is hacked? There is certainly the possibility of an attacker causing mischief. For example, remotely turning a smart refrigerator off, or a smart coffee maker on, has the potential to create a big physical mess. More importantly, these devices can be used as a platform to launch attacks against the company's wider network. An attacker might not be able to penetrate a company's network server directly, but it might succeed by first compromising an IoT device and then launching the attack from that device inside the network. From there, hackers could have the ability to scan for other insecure devices and look for more valuable targets within the network, thereby accessing valuable data.
While no connected device is unhackable, there are steps a company can take to protect its network from attacks. The easiest and most effective way is to keep these devices off your company's network in the first place. Organizations should have a policy regarding what devices are allowed to be connected to a network, and any device connected to that network should first be cleared by the organization's IT security department. Only devices that are absolutely necessary should be allowed, and they should be configured to operate in the most secure manner possible. Organizations also need to remain informed about new attacks, so they can remove affected devices from their networks, apply patches to them or reconfigure them to mitigate the attacks.
Protecting against attacks at the device level can get more complicated. At Rambus, we have developed hardware called the CryptoManager Root of Trust, along with software to run on it, which can be used to defend against attacks on IoT devices. The CryptoManager Root of Trust either can be integrated into an IoT device itself or be manufactured into a separate gateway. It can help protect against attacks by acting as a firewall, controlling all access and traffic into and out of the devices, and disallowing any actions that could compromise the device.
While offices have the potential for a number of security weak spots, there's one place even more vulnerable to an attack: home. Stay tuned for part two of this report, which will detail common weaknesses in home networks and how to protect against attacks.
Mark Marson has more than 25 years of experience in developing security solutions for commercial and classified applications. As the technical director at Rambus-owned Cryptography Research, he contributes his expertise on cryptography, side-channel analysis and hardware security applications. Trained in cryptography and cryptanalysis, Mark has additional expertise in hardware and software design. He previously worked at the National Security Agency for more than six years as a senior cryptographer, and for five years at Raytheon's Space and Airborne division, where he developed anti-tamper systems. Mark received his undergraduate degree in mathematics from SUNY Binghamton, and his Ph.D. degree in mathematics from UC San Diego.