By Russ Banham
Chief Executive magazine
Wesley McGrew is a white hat hacker at HORNE Cyber, where he directs cyber operations. His job is to find security flaws in company systems by hacking into them. Lately, McGrew and his team have been exploiting the vulnerabilities of Internet-connected smart devices like, well, pretty much everything.
From thermostats and coffeemakers to security systems and garage door openers, many commonplace things are embedded with electronics connecting them to smartphones via wireless protocols like Bluetooth. These devices can be connected to the Internet to exchange data, making the work of business more efficient—except when they do dumb things like let hackers exploit them to shut down corporate networks or steal sensitive data. “Any business today has some sort of smart device on its network, either for pure business reasons, like a printer, or for ease of use, like my crockpot,” says McGrew.
His crockpot, which he relies on occasionally for in-office meals, is a demon in disguise. Inside it is a miniature, multi-purpose computer like a circuit board with untold powers—of the bad kind. “The manufacturer of the crockpot has no idea about this computer, other than it switches things on and off,” McGrew explains. “But it is really quite remarkable, with the same power and capabilities as a full desktop workstation from 10 years ago.”
Suddenly, a prosaic crockpot is also a computer designed to automatically connect in the cloud to a company’s wireless network. However, this computer is vastly easier to hack because it was not designed with strong, configurable security in mind. “A lot of them have a hard-coded password that can’t be changed without a firmware update by the vendor,” says McGrew. “The problem is vendors rarely, if ever, update the firmware.”
A worse problem is that this password is instantly available to hackers. “Default passwords of all these devices are available on the search engine Shodan, which allows anyone to find specific devices connected to the Internet,” says Harri Hursti, the famed Finnish programmer whose studies of voting systems unearthed serious security flaws. “You simply type in the name of the device, and it’s amazing what you can find.”
Not Exactly Fort Knox
Blame economics for many smart devices’ shoddy security. “The challenge in selling many smart devices is the need to hit a price point low enough to encourage people to buy the device,” says Irfan Saif, a principal in the cyber risk practice at consultancy firm Deloitte. “To help achieve this price point, manufacturers may limit features around security.”
He is not alone in this alarmist view.
“Three seconds of thought are given to security,” says Dottie Schindlinger, vice president and governance technology evangelist at Diligent, a provider of enterprise governance management solutions. “The goal is to make the device super easy to connect to a WiFi network and other devices—to make them ‘idiot-proof’ for anyone to deploy. Yet, the moment the device connects to a network, it becomes a giant wormhole for hackers to penetrate.”
This was the case with McGrew’s crockpot.
“It was incredibly simple to exploit its security flaws,” he says. “Once in the back door, I used it as my base of operations to scan the rest of the network looking for vulnerabilities in our internal systems. Basically, I had a foothold into our network to do whatever I wanted next.”
A hacker with malicious intent can do the same thing, albeit with devastating consequences—compromise the network, steal sensitive data, hold the organization ransom and crimp the flow of business.
Midsize and smaller companies with tight resources to invest in a chief information security officer and trained IT security staff are most at risk, although even the largest enterprises are not immune.
“Our company is dependent on IT systems, data and our employees for our operations and securing these systems and data is a fiduciary responsibility of management and directors,” says Ken Asbury, CEO of CACI, a provider of information solutions and services for defense, intelligence and federal civilian government customers. “Just like we have to be sure our facilities and our people are secure, we now need to ensure our employees are informed about the importance of and necessary steps to secure smart devices like surveillance cameras, door locks and printers that are on the network….The Internet of things (IoT) is a new area for cybersecurity, one that increasingly poses the greatest amount of risk.”
Awakening the Zombies
This threat was made frighteningly clear in August 2016, when hackers created malware called Mirai that scanned the Internet continuously looking for the IP addresses of smart devices vulnerable to the default password security flaw. The hackers then commandeered these smart devices into a botnet (robot network) that unleashed DDoS (distributed denial of service) attacks on hundreds of websites, shutting them down and causing extraordinary business interruption losses. In a DDoS attack, a website is besieged with so much traffic, it can no longer accommodate legitimate users.
The smart devices-turned-zombies were primarily inexpensive, mass-produced CCTV video cameras designed for security purposes. Two months later, the same malware was used against Dyn, a managed domain name system provider of Internet services to Twitter, Reddit, CNN, Spotify and thousands of other websites, shutting many of its clients down. Approximately 500 companies that relied exclusively on Dyn suffered extensive downtimes.
“In the old days, hackers used powerful IT systems to carry out a DDoS attack,” says Vance Brown, CEO of the National Cybersecurity Center, a provider of cybersecurity training. “Today, it’s much easier to marshal thousands of network-connected smart devices to do the same thing.”
Another eye-opening hack of a smart device involved the hospitality industry. In 2017, a hacker infiltrated the wireless key card system at an Austrian hotel, locking all the doors and shutting down the computer system that operated them. “A ransom in bitcoin was demanded to turn the system back on,” says Jody Westby, CEO of Global Cyber Risk, a provider of cyber risk management services. “The hacking was publicly reported, exposing the hotel to potential reputational damage.”
Smart printers have also been hacked. In 2017, a bored teenager in the UK built a program that hacked into 150,000 Internet-connected printers to print out reams of paper. The clever hacker signed his work “Stackoverflowin.”
Schindlinger cited a more devastating hack. “A certain brand of wireless printer has been shown to have a gaping security loophole, allowing hackers to reprint anything that has ever been printed on the device,” she says. “That may include every legal contract the company has signed, new product information, payroll data, employee names and Social Security numbers—you name it.”
What’s more, once a hacker breaks into the printer, a back door to the rest of the network is opened. As Brown puts it, “As soon as you’re in the house, you have access to all the rooms.”
Even some of the best-selling technology products today may do things users are in the dark about. Brown points to smart speakers like Amazon Echo, noting, “If the device is always listening to you, it also could be spying on you.”
He’s right. A security researcher recently demonstrated how to insert malware into a pre-2017 Echo to stream audio from it to a server, turning the device into a personal eavesdropping microphone.
While there is no software patch available to repair the problem in older units, the vulnerability has been addressed in post-2017 Echo models.
Sending in the Guards
How concerned are corporate risk managers about IoT-related attacks? The answer is extremely. An astonishing 94 percent of cyber risk professionals responding to a study by the Ponemon Institute stated that a security incident related to an unsecured smart device would be “catastrophic,” with 74 percent expressing concern over the loss or theft of valuable data.
What can CEOs to do ensure their companies’ networks and systems are protected? It’s not an easy question to answer.
As McGrew points out, “In many midsize and smaller businesses, the IT security staff is 100 percent focused on keeping the network running. They don’t have time to chase all these smart devices that are connecting to it; they’re at capacity. And most companies don’t have a team of [network] penetration testers—white hat hackers who love to break into devices and pinpoint their vulnerabilities.”
Westby from Global Cyber Risk agrees, noting that it is difficult to sell the firm’s assessments to companies with under $1 billion in revenue.
“Compared with the enormous expense of a business interruption, a forensic investigation is a pittance, yet many CEOs downplay the need,” she says. “This is ridiculous since they have a fiduciary responsibility to investors and shareholders to pay attention to these risks. A big attack can literally do them in.”
The Ponemon Institute study drew a similar conclusion. The respondents cited boards of directors not fulfilling their oversight responsibilities and making management accountable as one of the three major barriers to addressing the risks of smart devices. The other two barriers were insufficient resources and a lack of priority in their approach to cyber risks. “Because it is not a priority and leadership is not engaged, the necessary resources are not being allocated,”
says Larry Ponemon, chairman and founder of the Ponemon Institute. “While smart devices promise good things by sharing information for good purposes, there is a dark side—hackers using the information for nefarious purposes.”
Asbury from CACI says that CEOs must take the risk of connected smart devices seriously and lead the charge in their organizations to do something about it. “Companies must develop a culture of cybersecurity, and that begins with the tone from the top set by the executive team and board,” he says. “A strong culture of cybersecurity makes the security of systems, data and smart devices the responsibility of all employees, not just the IT and security teams.”
He adds, “It takes everyone to keep a company secure, at every level of the workforce, all the way up to the boardroom. But someone has to lead the way.”