#ISC2Congress: IoT Devices Pose Off-Network Security Risk
Internet of Things (IoT) devices can still be a serious security threat even when they are off network.
Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, 802 Secure CSO Michael Raggo shared research that demonstrated the risks posed by everyday IoT devices.
In his talk titled "Cyber Physical Security: Addressing IoT Risks," Raggo cited examples of threat actors gaining access to data centers via WiFi thermostats and spying on conferences by hacking into smart TVs mounted on boardroom walls.
"The problem goes far above and beyond the potential breach of data or risks to that data. It also has an impact on safety, privacy, and the whole operation of your entire network, especially if it's an industrial IoT type of network," said Raggo.
"What that means in terms of your policies and how you approach the problem, is that this is more than just protecting data and avoiding data exfiltration. Now we are talking about the safety and the privacy of people and employees."
The impact of IoT security issues is far-reaching. According to Raggo, "roughly 50% of the new buildings being built in the United States have some kind of IoT functionality."
Raggo said that ensuring the reliability and security of the lighting, power, and HVAC systems of your home and your business is a real challenge if those systems aren't connected to your own network.
Although many people are familiar with Wi-Fi and Bluetooth, according to Raggo they often don't have a clear understanding of how IoT devices are configured and who can actually connect to them.
Raggo referenced experiments conducted in his own lab that had produced worrying results, exposing vulnerabilities in smartphones and surveillance cameras. In one test, he used a wireless thumb drive to access data on a hub.
"I simply plugged it into a USB port in the back of the hub and immediately videos started being recorded to my thumb drive. There was no authentication required," said Raggo.
One threat Raggo drew attention to was Bluetooth skimming, where threat actors steal money by breaching credit card details used in transactions. After being asked to investigate a fast-food restaurant that had suffered a breach, Raggo used readily available Bluetooth scanning tools to detect a long-range Bluetooth device placed under the cash register that had been used to skim data.
Source: Information Security Magazine