Tackling the IoT cybersecurity blind spot

Milad Aslaner, Head of Technology Advisory Group, SentinelOne explores tackling the blindspot of IoT cybersecurity.

People and businesses alike spend so much of their time concerning themselves with protecting the more obvious devices such as work computers, laptops and tablets against potential cyber attacks. But what about IoT devices and networks? As more devices are equipped with sensors and software that communicate and exchange data over the Internet, the cyber risk grows even larger.

The gravity of the problem becomes clear when you think of just how many IoT devices are relied upon for daily use. Whether it’s printers in offices, smart speakers or cameras for physical security systems, this explosion in IoT connectivity creates more endpoints from which hackers can stage an attempted attack, and the attack surface is only getting bigger.

According to Statista, the total number of installed base IoT devices will surge to 30.9 billion by 2025, having almost tripled since 2021. And in many cases, employees are able to connect IoT devices to the network without notifying IT teams, leaving security teams scrambling to gain and maintain visibility into the devices being connected.

Consequently, devices like Alexa and Google Home, wearables, mobile phones, and even novelty items, like fish tanks, are being added to networks every day, without security teams knowing. When it comes to IoT security, gaining complete visibility into every device on the network, and having the ability to control every device, is the foundation to a strong security posture. Because despite becoming more commonplace, IoT devices and the networks they provide remain hard to pin down and therefore, difficult for secure.

Traps for the unwary
As well, IoT devices are being relied upon by many businesses as part of their physical security infrastructure, such as CCTV. One of the most high-profile breaches of an IoT network occurred in 2021, when Verkada, a Silicon Valley-based business which markets security as a service, suffered a significant breach. Hackers had entered their systems, acquired super-admin credentials and accessed cloud-stored video footage from their 24,000-strong client list. CCTV feeds which were for certain eyes only became something for all the world to see

The breach was only brought to Verkada’s attention once the media had started reporting about CCTV footage surfacing on social media, doing great damage to the company’s reputation.

Hackers eventually admitted having entered their systems and having access to CCTV feeds for two days without being noticed, suggesting Verkada had an IoT-related blind spot. The cameras and the centralised management consoles which ran them lacked a form of endpoint cybersecurity protection which went unnoticed, allowing hackers to effectively walk straight through their doors.

Microsoft Azure for IoT poses serious flaws
Microsoft Azure Defender for IoT is Microsoft’s crown jewel for securing corporate IoT operations. As an increasing number of people shift activity onto the cloud, cybersecurity services have to adapt to this new environment, which resulted in Microsoft producing Defender for Cloud, which included coverage for Microsoft Azure. According to Microsoft’s own admission, the Azure IoT hub boasts connecting, monitoring and managing “billions of IoT assets”, suggesting a sizable number of apps and devices to watch over.

Concerningly, in April 2022, it was discovered that Microsoft Azure Defender for IoT had a number of flaws which risked affecting both cloud and on-premises customers. Research by SentinelLabs uncovered flaws which allow unauthenticated users to compromise devices using Microsoft Azure for IoT, based on flaws in Azure’s Password Recovery System. No in-the-wild cases of abuse have been seen so far.

The flaws in question stemmed from the method by which users recover passwords, whether that’s for the Management or Sensor solutions offered by Azure Defender for IoT. The password recovery system used by Azure Defender for IoT relies on two interfaces for verification: Python web and Java web APIs. This verification process, which is quite primitive by modern standards, requires a ZIP file to be uploaded to start the recovery.

This immediately opens the system up to potential tampering by hackers, who can upload and extract any file they wish through the directory. Between verification by both the Python and Java APIs, a hacker could reset files in the password reset directory, granting them access to IoT apps and devices as if they were the intended user. Upon its discovery, the vulnerability was immediately brought to Microsoft’s attention and they responded by releasing security updates to remediate the flaws.

Covering all bases in the IoT network
The first place for a business to start on IoT security is knowing the network itself like the back of one’s hand. The IoT network and devices used on it must be mapped and fingerprinted, but that’s not all. Businesses need to get into the mind of a hacker, and think about the gaps in their thinking and identify unprotected parts of the network, or devices which haven’t been included in protection efforts. Manually doing these checks can be exhaustive, and additional hardware or software simply aren’t scalable or cost-effective solutions.

What the situation calls for is resorting an AI-based solution, akin to a cybersecurity form of Sonar. Approved endpoint devices can be ‘pinged’ by the AI solution, but new devices can also be found which may have evaded scrutiny, especially those which are more hidden than others. With a roster of approved machines in use, anomalous behaviour is easier to spot through the IoT network, allowing businesses to close the gaps in their security infrastructure quicker.

It’s not enough for businesses to simply prove they are compliant with the latest legal requirements with regards to IoT device security. Simply ticking the box misses the point, as the real purpose of having visibility and monitoring one’s own IoT network is to ensure that security and privacy can be strengthened. By simply opting for compliance over greater security and privacy, companies fall prey to the more sophisticated forms of attacks, as many opt for scheduled forms of scanning to.

This gives the appearance of caring about maintaining cybersecurity in IoT networks with minimal effort. In reality, hackers are increasingly using high-speed machine-led attacks to strike, leaving security teams with only one option: continuous monitoring and scanning, using machine-based endpoint security to counteract more machine-led attacks.

Bringing IoT security into the light
AI-led endpoint security might seem daunting at first, but imagine the task of having to keep track of the billions of interconnected IoT devices out there in the world. As IoT networks grow, there will be hackers using increasingly advanced means of infiltrating them, exploiting blind spots in a network’s layout.

Only through the power of AI can security teams have the visibility and ability to categorise threats. Such endpoint solutions carry the benefit of providing automated alerts once rogue devices or vulnerabilities are found on a network, keeping IoT device systems as watertight as possible from a cybersecurity perspective.

Cybersecurity is a huge challenge for any organisation, and the problem has only become more complex with the addition of billions of connected devices. As threats continue to evolve to exploit IoT devices, it’s crucial that security teams are equipped with complete visibility, categorisation, and automated alerts for rogue devices and vulnerabilities. Prevention and proactivity are the keys to protecting against the very real threat posed by IoT devices.

Read the latest edition of PCR’s monthly magazine below: