aquila-inc

Armis Breaks Down Vulnerabilities in the Internet of Things

IoT (Internet of Things) has been the buzzword in security for the last 18 months. There have been a number of high-visibility breaches that were orchestrated because of them (one involving a wifi-connected fish tank comes to mind) and there is a lot of information and talk about them out there. I wanted to take a moment to address the hysteria and try to give it some context, at least from my perspective. A common criticism is that these devices are unmanaged. I read that a lot, but what does it mean? Many of these devices have administrative interfaces or applications to manage them, don’t they?

https://armis.com/shiot-happens-hacked-vending-machines-snack-on-your-data//

When I read about “unmanaged” devices I really think people mean “these devices are different, they don’t fall under our existing policies, controls, or management tools”. If you’re an Ansible shop, finding a playbook to help you monitor whether a fish tank is compliant with your org’s security policy is not going to be very likely. Something might support SNMP, but have you added the right MIB’s to your monitoring tools? Further, how do you enforce password complexity requirements on a device if it has a character limit on the password entry field lower than the minimum length for your org’s policy?

The other reason I think IoT has been under such scrutiny is that it is an extremely diverse space with a lot of producers, sourcing components and software from all over the place. The range in build quality is astounding, and the rush to get products into these markets is such that even brands you know and trust may be stapling code on cheap hardware to meet quarterly goals. Further, the requirements for many of these devices don’t even remotely map to things we’re used to. A wireless AP can (within reason) be expected to undergo pretty rigorous penetration testing and hardening before it’s released. A wireless lightbulb needs to turn on and off. It may rely on a cloud service, that cloud service may offer code updates, and you may or may not have any control over whether the lightbulb pulls down a software update, when it does, etc.

My feeling about these kinds of devices has been to treat them like I treat vendors and contractors. Segmentation, monitoring, and access controls. The linked blog post is from our partner Armis, who uses a network-sensor based approach to classify, categorize, and monitor devices on your network to determine whether they’re behaving like other devices of the same type. I think this is novel and offers a lot of interesting capabilities in terms of reigning in these devices if your network already has them sprinkled across it.

Stephen Crim