The Internet of Things is a phrase that is bandied around a lot at the moment and in a nutshell, it is when a multitude of devices all talk a common language over the Internet connections. The positive effects of this are clear. Suddenly, we are able to control our gadgets remotely, and gain additional services from them that enhance our lives and businesses. The downside is that connected devices have already been exploited, causing concerns about security and privacy. Worse still is that within businesses, when data is particularly sensitive the implications of a breach can be catastrophic.
In the workplace, everything from security cameras, Internet routers and industrial control systems are just a few examples of gadgets that are vulnerable. Common threats that we have seen pose a risk to these types of devices recently are worms that can attack the Linux operating system.
For example, the Darlloz Linux worm is one that has been created specifically to exploit the Internet of Things. This threat is able to infect devices such as routers, cameras, and entertainment systems. Although the recent reports of a refrigerator sending spam were unfounded according to our research, such attacks using the Internet of Things are possible and more likely in the future.
Danger of the unknown
What is particularly worrisome about these kinds of threat is that, in many instances, the end-user may have no idea that their device is running an operating system that could be attacked. The software is, by and large, hidden away on the device. Another potential issue is that some vendors don’t supply updates, either because of hardware limitations or outdated technology, such as an inability to run newer versions of the software.
For those interested in discovering your connected devices and looking at ways of gaining access to them or infecting them with malware, the tools of the trade aren’t difficult to find. The search engine Shodun enables people to search for a range of Internet-enabled devices. Everything from cars, building heating control systems to water treatment plants are searchable. If a device is simply found using Shodan, it does not mean a device is vulnerable. However, services such as Shodan do make it easier for devices to be discovered if attackers know of vulnerabilities in them.
There are more connected devices than ever before, which is great because they enable us to work smarter and have access to a greater amount of control and convenience. Wifi chipsets are cheaper to produce, an updated version of Internet Protocol that enables devices to communicate (IPv4) is being adopted, and a new ‘Internet of Things friendly’ version of Bluetooth are combining to ensure that this level of connectivity remains prominent. And so whether you run or work at a small or medium company, or even within at home, you’ll see these devices becoming commonplace.
The response to potential threats shouldn’t be panic, it should be preparedness. There are some simple steps to take to secure your business network and ensure your devices don’t introduce a host of vulnerabilities.
- Perform an audit of what devices you own. Just because a device doesn’t possess a screen or a keyboard, doesn’t mean that it isn’t vulnerable to attacks;
- If something you own is connected to your business network, there is a possibility that it is accessible over the Internet and thus needs to be secured;
- Pay attention to the security settings on any device you purchase. If it is remotely accessible, disable this feature if it isn’t needed;
- Change any default passwords to something that is only known by the administrator of your office network. Don’t use common or easily guessable passwords such as “123456” or “password”. A long combination of letters, numbers and symbols will generate a strong password; and
- Regularly check the manufacturer’s website to see if there are updates to the device’s software. If security vulnerabilities are discovered, manufacturers will often patch them in new updates to the software.
Dick O’Brien, Senior Information Developer at Symantec.
Share this story