Internet of Things (IoT): Rethinking the threat model
On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science. So he wrote a short program in C, and within a few hours, 150,000 internet-connected printers across the world were spitting out ASCII art and messages. All this was harmless, although the messages did say the compromise was the result of a botnet (there was no botnet). That said, what if such a botnet had been a real threat? How many organizations today include printers—or any aspect of the Internet of Things (IoT)—in their current threat models?
Known only by the nickname Stackoverflowin, the youth responsible agreed to an interview with Motherboard. The student explained that he had been programming 14 hours a day and, as a consequence, had trashed his grades. Now, at least within the U.K., he will not be able to attend the computer science university programs he’d wanted. His script, however, was successful, finding a number of restaurant POS systems, with images of ASCII-drawn robots pouring out onto counter tops worldwide.
Which raises a valid question: Should organizations be worried about internet-connected printers?
Printers are misunderstood
A few years ago, Columbia University student Ang Cui and his Ph.D. advisor, Salvatore Stolfo, began testing printers. They found, in general, that printers were not very secure devices. After all, why should they be? Perhaps before printers were connected to the internet, back when you still needed a thick serial cable, that was true: To compromise a printer, you’d have to physically compromise it. With internet connectivity, however, that began to change. Anyone, anywhere in the world, could now gain access. Why?
Cui first came into national media as a graduate student when he reported that he could make a laser printer burst into flames—or at least that’s what the popular media reported. At that time printer manufacturers didn’t always authenticate or otherwise sign their updates, so Cui, using a freely available update schema from a major printer manufacturer, designed and installed a malicious printer update that would disable the thermal sensor on a fuser in an inexpensive laser printer. This would in turn cause the printer to overheat and perhaps be hot enough to burn the paper inside.
Not just your printer
Cui also found that voice over IP (VoIP) phones in corporate offices could be compromised. Doing so required what’s known in security as an “evil maid” scenario, which is when a maid cleaning a hotel room inserts a USB into your laptop to compromise your machine. In this case, a janitor after hours could plug a USB into one of the phones. Once the malware was installed, the phone could then leverage a vulnerability that allowed the microphone used for hands-free operation to turn on even when the handset or the phone itself was not in use. In other words, the desktop phone could eavesdrop on live conversations at or around the desk.
Researcher H.D. Moore also found that video conference room equipment could be attacked remotely. Not only could an attacker join a sensitive conference call (say within a legal firm), but the attacker could also turn the camera and zoom in on a desktop outside the conference room, perhaps reading sensitive information or even a sticky note with a password. Last year, researcher Jamieson O’Reilly found a video conference system used by US Army, NASA, and CERN contained a similar vulnerability.
Beyond cheap party tricks
In the last few months, thousands of surveillance cameras worldwide were found to have their credentials hard-coded, meaning that once someone knew the password, they could gain administrative control of the devices. Someone did and managed to construct one of the largest IoT-based botnets, known as Mirai.
In October, after the source code for Mirai was exposed on the internet, an attacker turned the Mirai botnet on a DNS resolver service, Dyn. The resulting distributed denial-of-service (DDoS) attack managed to throttle access to such popular sites as Netflix and Airbnb in North America. The sites themselves weren’t affected, only the resolution service, but the effect was the same to any end user trying to reach those sites.
IoT—So what?
Some in the security community remain dismissive of the potential for IoT to disrupt real-world enterprises. There’s some history to suggest they might be right. Mobile phones, once predicted to fall victim of the scourge of computer viruses that consumed desktop PCs in the late 1990s, have so far avoided that fate. Strong security in both iOS and Android have contributed to that.
The difference is that IoT devices are, deep down, embedded systems running a variety of different real-time operating systems (RTOS)—some secure, some not. These devices have been around for years, meaning there are legacy devices out in the fields of large power generation plants that cannot be updated. Newer consumer devices invading our homes and offices are no better. Some inexpensive devices are built with vulnerable open source components and were designed for obsolescence rather than updates.
Be proactive
It is important to consider all internet-connected devices in your threat model. The risks posed by these devices today may not seem large. Nonetheless, as we have seen with common devices (printers, video conferencing systems, and surveillance cameras), researchers and bad actors alike have found viable compromises. And compromising a few surveillance cameras can result in bigger consequences.
Trust, but verify, each internet-connected device you add to the network. Testing the firmware of any device brought inside the organization to learn its software composition should be part of any modern security policy. And if you can’t effectively define security controls to mitigate the risks posed by a given IoT device in your organization, then consider purchasing another device.
