The relationship between IoT and Wi-Fi
By Ryan Orsi, Director Product Management, WatchGuard Technologies
In parts one and two of this series, I covered the importance of understanding the anatomy of a Wi-Fi hacker and how to defend your airspace using WIPS and WIDS. For my last article of the series, I’ll cover the growing threat of Wi-Fi enabled Internet of Things (IoT) devices.
Today, most IoT devices fall into two categories: general IoT and industrial IOT (or IIoT). The first consists mostly of consumer devices like cameras, watches, thermostats, color LED light bulbs, and more. The second includes items like electric, gas and water meter devices that attach to the home or business and transmit data back to industrial systems or utility.
As you probably know, the IoT market is growing fast. As a matter of fact, according to Bain, by 2020 IoT annual revenue will reach $470 Billion. And, McKenzie & Company estimates the annual growth rate to be about 33 percent. That’s huge growth, and it’s putting a lot of pressure on manufacturers to produce these devices quickly. As a result, most devices are Wi-Fi enabled (versus using cellular data), delivering low-cost connectivity for buyers.
But remember the old saying, “You can get something fast, cheap or good. Pick two.” As IoT manufacturers race to get new products to market, they’re also overlooking (to put it kindly) the major security concerns associated with these new devices.
Which means these products are fast and cheap, but often not good from a security standpoint. Of course, these smart, connected devices make our lives and jobs more convenient, but they also present critical security challenges. The reality is, convenience and security often don’t mix. When you combine the security vulnerabilities of IoT devices and Wi-Fi, these transformative technologies begin to look a lot scarier.
Don’t believe me? Let’s dive into some IoT vulnerabilities, first by looking at the main attack vectors:
- Network Services – IoT devices are connected to the network for a reason: to provide remote access. Unfortunately, when users set up these services, security usually isn’t top-of-mind. So when a webcam is deployed, chances are it’s assigned to an open, unprotected port. Since IoT devices don’t have good security, this means a user’s network could be vulnerable.
- Man-in-the-Middle (MiTM) Attack – As mentioned in Part 1 of this series, IoT devices are not actively managed, allowing hackers to launch MiTM attacks in relative obscurity over either wired or wireless networks. Today, the majority of wireless hacks involve a MiTM attack.
- Cloud-based IoT – Most IoT devices have a cloud-based application that helps to manage the device. When these cloud services have poor security, they’re a prime target for hackers. After infiltrating the cloud service, attackers typically gain access to a plethora of user account information and devices. So essentially, access to one device is access to all devices associated with the service.
What is a real-world example of one of these attacks? In September/October of 2016, the Mirai botnet emerged. It took down Brian Krebs’ website, Netflix, Twitter and more. It exploited IP cameras, DVRs, and other common household routers by scanning open ports connected to the Internet and then trying 61 common user name and password combinations that were found in manufacturer user guides.
The process wasn’t rocketed science, and once they gained access, hackers had control of these devices and used them to launch the world’s largest DDOS attack against cloud DNS host Dyn. This caused the aforementioned sites to crash. The attack came from more than 160 countries, showing just how vulnerable IoT devices are across the globe.
While Mirai was not a Wi-Fi vulnerability per se (it happened over a wired network), it did bring IoT security into the headlines once again, highlighting the fact that Wi-Fi is a major IoT attack vector for hackers.
MiTM attacks are often used to gain access to Wi-Fi networks, and once in, hackers can search for vulnerable IoT devices and plant back-door malware that will give them access to a network from anywhere in the world.
Think about the impact this can have on today’s devices. For example, telemedicine devices like home heart monitors or blood pressure sensors gather information and send them back to physicians over Wi-Fi. These little computers are just as vulnerable as DVRs and webcams. Or, what about Point of Sale (POS) systems?
More and more businesses are running payment-processing systems across a Wi-Fi-connected tablet. These tablets can be compromised using MiTM attacks and malware, resulting in stolen payment card information or worse. And the list goes on with connected cars, printers, kitchen appliances, thermostats, light bulbs, industrial systems and more.
If the lack of security on the majority of these devices isn’t scary enough, imagine them all connecting to a massive, city-wide public hotspot.
That’s what’s happening today and it’s called Municipal Wi-Fi. Municipal Wi-Fi is designed to allow all devices within range to connect to an open, unsecured Wi-Fi network.
Think the local mall on a small scale, but entire cities on a large scale. For example, today, South Africa has one of the largest municipal Wi-Fi networks, which supports connections from 1.8 million unique devices.
The ability to deploy these large municipal networks is opening the door for companies like Google, Facebook and Microsoft to work with the Internet Governance Forum to create municipal networks in developing countries. It’s an initiative they’re calling “Connecting The Next Billion,” and it’s designed to offer developing nations access to Internet services and connectivity.
The IoT growth potential with these networks in place is staggering. And again, it highlights the need for IoT security.
So, how do we fix the IoT security problem? Consumers, vendors, and manufacturers all need to care about securing IoT devices. Unfortunately, right now, they don’t. Meaning if you join an unsecured open Wi-Fi network with your IoT device, there’s a chance you’re vulnerable to an attack.
Because there is a lack of motivation to secure IoT devices, government regulations may be the fastest way to get manufacturers to prioritize security by design.
This is becoming a hot issue and we’re starting to see industry thought-leaders weigh in on the topic. For example, Bruce Schneier recently testified in Congress regarding the Mirai botnet attack. He addressed the growing need for IoT regulation when he said:
“What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, the government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.”
While we may not see government regulations anytime in the immediate future, the industry (and external researchers) can continue to shed light on IoT security issues by exposing vulnerabilities in these products.
For example, WatchGuard’s Threat Lab recently discovered a new vulnerability in a cloud-based management portal for a security camera.
Once the issues were found, the team reported the problems to the manufacturer, which was able to quickly patch the vulnerability.
While not all manufacturers and vendors today may have the incentive to build secure IoT devices, organizations offering Wi-Fi can take matters into their own hands to help ensure consumer safety. If you’re delivering Wi-Fi to customers, employees or partners, consider these five tips:
- Deploy a new Wireless Intrusion Prevention System (WIPS) that can easily isolate rogue APs and stop MiTM attacks in real-time. Yes, these exist (for example, check out WatchGuard’s new Wi-Fi Cloud).
- Use Wi-Fi network segmentation to separate guest and private networks. Not only will this boost performance, but also should a hacker breach the network, segmentation can help keep the intrusion contained.
- Use policies to segment IoT devices like web-cameras, thermostats, and others away from guest and private networks.
- Use a Unified Threat Management (UTM) appliance to secure the traffic as it traverses each network segment.
- If you’re not an expert in network management or security, hire a managed security service provider (MSSP) to handle the burden.
Our future is dependent on the choices we, as consumers and security professionals, make about our own security today. The reality is that vendors sell what the market buys. And, right now, most people are content buying IoT devices that lack proper security. Either the market demands better security or hackers continue to exploit vulnerabilities in IoT, costing the industry dearly.
As a company, take the necessary steps to deliver secure Wi-Fi for your customers and employees. As IoT continues to grow, having secure Wi-Fi will be vital to keeping them safe. And, as a consumer, take a stand. Tell IoT manufacturers that you want better security. If we don’t take our own security seriously, then neither will they.
About The Author
Ryan Orsi is Director of Product Management at WatchGuard, a global leader in network security, providing products and services to more than 75,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical, and consumer wearable markets. As VP Business Development in the RF industry, he led sales and business development teams worldwide to success in direct and channel environments. He holds MBA and Electrical Engineering Degrees and is a named inventor on 19 patents and applications.
Ryan can be reached online at @RyanOrsi and at our company website www.watchguard.com/wifi