By Marc Laliberte, Technical Security Operations Manager, WatchGuard Technologies
The Internet of Things (IoT) industry has a security problem that has existed since its inception. From the Mirai botnet that took disrupted internet goliaths like Netflix, Twitter, and Reddit in 2016 to the recent Verkada security camera breaches that impacted tech giants Tesla and Cloudflare, IoT weaknesses have continued to be a popular tool in the cybercriminal arsenal despite constant warnings from security professionals. While these high-profile breaches draw attention to traditional IoT devices and their security concerns, other classes of IoT continue to skyrocket in adoption rates despite having just as serious of security concerns and potentially even more disastrous of results in the event of a breach. IoT in the healthcare industry is a perfect example of this trend. Industry experts place the healthcare IoT adoption on track to reaching a massive 25.9% compound annual growth rate (CAGR) by 2028, primarily because of the massive benefit network-connected sensors and data sharing provide. But that benefit comes at the cost of increased attack surface for threat actors.
The medical industry faces a unique concern where technical issues can manifest to actual life and death scenarios. Additionally, healthcare delivery organizations (HDOs) like hospitals and clinics often rely on expensive highly customized applications and devices that they are then hesitant to apply updates and patches to for risk of breaking something and leaving them without their critical tools. Drawing parallels to traditional IoT that typically comes as custom software running on a several-year-old flavor of Linux, medical IoT devices are often built on archaic versions of Microsoft Windows and Windows Server. In fact, last year researchers found 45% of medical devices were vulnerable to the critical BlueKeep Windows exploit that Microsoft considered serious enough to release legacy patches for out of support versions of their operating system.
IoT security concerns can boil down to three main issues, 1) A lack of security considerations during manufacturing, 2) A lack of knowledge and visibility for those that deploy IoT, and 3) A lack of device update management after deployment. The first issue, security considerations during manufacturing, is largely because most IoT consumers demand devices that are inexpensive and first and foremost. When the only concerns are that the device is cheap and that it technically works, manufacturers lack incentive to spend resources improving the security of their products. This leads to devices with weak hard-coded passwords, outdated software, and operating systems lacking even basic hardening protections. The 2016 Mirai botnet flourished not by exploiting some sophisticated zero-day vulnerability in IoT cameras, but by running through a list of 61 common usernames and passwords against a management interface left open by the device manufacturers.
When it comes time to deploy IoT, network and systems administrators face the difficult task of managing devices where endpoint-based detection and visibility tools are either unavailable or highly discouraged to reduce risk of interfering with the device. IT teams are also faced with the difficult task of identifying rogue IoT on their networks added there by employees. While the devices themselves don’t hold much of value for cyber criminals, infected IoT can act as a base camp for moving laterally behind a network’s perimeter.
Even when researchers identify and disclose vulnerabilities in IoT devices, applying security updates often ranges from difficult to impossible. Many IoT deployments have no considerations for long-term maintenance which means identified vulnerabilities stick around. Last year, researchers at JSOF identified vulnerabilities in a popular network connectivity library present on hundreds of millions of IoT devices which they called Ripple20. Vulnerabilities like Ripple20 in traditional endpoints and systems are usually handled with a simple software update but in embedded systems like IoT, applying those updates isn’t a simple task.
Despite these security concerns, IoT is here to stay, and for good reason. Network-connected medical equipment enables healthcare professionals to provide faster and more accurate diagnostics and greater efficiencies at a time where our global healthcare system is under tremendous stress. IoT adoption is skyrocketing because the benefits outweigh the security concerns. But just because the security concerns are outweighed, doesn’t mean they can be ignored. To successfully deploy these new technologies while maintaining a strong security posture, healthcare organizations must be proactive about defining an IoT policy that accounts for the additional care these devices require.
While the most “secure” solution would be to unplug everything, there may be a very good reason to keep around that device running on an out-of-date version of Windows even though it is a block of metaphorical swiss cheese when it comes to security. Determining the business case for your IoT deployment is an important first step towards building a strong policy. Part of this process is knowing what you have in the first place though. IoT devices are notoriously difficult to keep track of due to a lack in compatible endpoint agents. This is where network visibility tools like scanners with robust fingerprinting engines come in handy to crawl through the dark corners of your network and spot hosts you may have missed. Don’t treat this as a one-off thing either, monitoring and visibility must be an ongoing process for to be successful.
You’ll also need to consider how you deploy IoT. This class of devices is one of the greatest benefactors of the zero-trust approach to security. Zero-trust is a whole other discussion on its own but the bulk of it comes down to moving to a never-trust, always verify approach to security. Instead of treating your internal network like a safe haven protected by a shielded perimeter, consider the safeguards you need in place to stop a malicious user or endpoint already on the inside from wreaking havoc. For IoT, this means deploying devices on segregated networks away from your other systems and especially away from your most critical resources. If you find you have the business justification to keep around that unpatched system, protect it on the network level by restricting access to the specific ports and protocols required for that tool to function and by applying security services to those connections to identify network attacks and malware. Be sure to regularly audit your IoT devices with vulnerability scans and security assessments so you know what you need to defend against and aren’t blindsided by something you didn’t spot.
Finally, make sure you are using your visibility tools to their full potential. Even if you can’t deploy protections on a device directly, you can still use tools to identify anomalous activity and raise the alarm in the event of something suspicious. Network intrusion detection systems can help cover the weak spots left open by IoT. The fact of the matter is, you will stop 100% of attacks and anyone who tells you otherwise is lying to you. If you keep all your eggs in the “prevention” basket while ignoring detection and response capabilities, you’ll end up having a significantly more difficult time identifying those incidents that do make it through your defenses.
IoT has its proven benefits, but not without security drawbacks. It isn’t too late to get started on a strong IoT security policy and tackle those security concerns head on. With the right planning, paired with strong technical controls, you can make the most of what these devices have to offer and still sleep somewhat easily at night.
About the Author
Marc Laliberte is the Technical Security Operations Manager at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc’s day-to-day responsibilities include researching and reporting on the latest information security threats and trends. He has discovered, analyzed, responsibly disclosed and reported on numerous security vulnerabilities in a variety of Internet of Things devices since joining the WatchGuard team in 2012. With speaking appearances at industry events including RSA and regular contributions to online IT, technology and security publications, Marc is a thought leader who provides insightful security guidance to all levels of IT personnel.