At first glance, the report on Internet of Things security that vendor Dark Cubed published in March isn’t cause for concern among channel pros, as the massive and worsening vulnerabilities it describes are limited largely to consumer devices. Unfortunately, that false sense of safety dissipates quickly when you speak with Dark Cubed CEO Vince Crisler.
“I don’t think there’s a big difference between consumer devices and the IoT that businesses use,” said Crisler this week at the ChannelPro SMB Forum event in Raleigh, N.C. “The same cameras, the same light bulbs are showing up in SMBs.”
That’s a problem, too, because many of the devices Dark Cubed tested while preparing its report failed basic security checks and had significant vulnerabilities. Most of the cameras, meanwhile, did little to prevent “man in the middle” attackers from viewing private images in transit across the internet. Threat actors are likely to find additional unintended uses for IoT hardware in the future as well, according to Crisler.
“When IoT devices can easily be exploited because they have bad security in place, they can be used as tools for all sorts of things, and that’s actively being exploited today,” he says.
The distributed denial of service attack that slowed VoIP services last week is a case in point. Though the role Internet of Things devices played in that incident is unknown at present, Crisler expects to see IoT-powered DDoS campaigns in the future.
“If you think about the effect that ransomware has had on the market, where if you lock people out of their files they pay, what happens if you’ve locked people out of their infrastructure?” he asks.
Crisler worries as well about the national security implications of American businesses deploying gadgets made by Chinese companies operating in an economy closely controlled by the Chinese government. Every device Dark Cubed evaluated when preparing its March IoT security report, in fact, had “strong supply chain and business connections to China,” the company says, and most had at least one network connection to a server in China.
“On one hand, you feel xenophobic for saying China’s bad and you don’t want to be that person, but there’s a strategic national effort going on there to get access to information, so we’ve got to be thinking about these things,” he says.
Unfortunately, Crisler adds, not enough people inside or outside of government are talking about IoT security danger. “I think it’s underappreciated,” he says. Worse yet, there are no easy answers to the problem.
“You can’t give this to NIST and say, ‘publish another framework.’ That’s not going to fix this,” Crisler says. “It’s part Department of Commerce, part Department of Treasury, part Homeland Security.”
In the meantime, channel pros can mitigate the dangers posed by consumer IoT gear, Crisler continues, by discouraging clients from using it. “Your starting point should be don’t do it,” he says. “Being able to turn on a light with your phone is not worth the risk that it produces.”
To protect customers who deploy vulnerable devices anyway, he adds, focus on the basics. “You have to have a strong foundation before you can address the more complex issues,” he says. “Then at least you’re raising the floor of what it takes to be successful from an attacker standpoint.”