Who Is Talking to Whom Using IoT Devices? Where Is Your Data Going?
You may have many IoT devices on your network, yet you might not be aware of where they are, what they are, or who they are communicating with. Companies without knowledge of their IoT devices face significant security exposures.
For example, hackers used the HVAC control system at Target Stores in 2013 to get access to and steal millions of customer credit card numbers. (see darkreading.com)
What Are IoT Devices?
IoT is short for "Internet of Things" and any device that communicates with the Internet is considered an IoT device. Each day there are more devices being added to corporate networks, each doing its job to collect and report data, as well as control systems and environments.
Here’s a sampling of devices that exist in most environments:
- Card access systems
- Security systems
- Light panels
- HVAC control systems
- Landscape watering systems
- Fire alarm systems
Many of these systems may have been deployed by the facilities, or helpdesk groups, so the network and security teams may not even be aware of them on the network.
What Are the IoT Device Security Risks?
If an IoT device becomes compromised, there are many possible risks that businesses face:
- Loss of control of the managed element (you can no longer adjust the thermostat)
- Hacker gains control of the managed element (hacker changes it to 95 degrees)
- Bot net to attack other networks (and your company gets blamed)
- Bot net to escalate privileges inside existing company (they’re already inside the door)
- Modify/change data on the network
- Leak data outside the company
Where Are IoT Devices Connected?
Many of these devices may be connected almost anywhere to the network, either via a cabled connection or wireless.
Finding where they are typically involves knowing what to look for. This may be looking for MAC OUI manufacturers of IoT devices, or looking for rogue OUI entries that don’t seem to match the normal business operations.
What Is the IoT Device’s Function and Purpose?
Once you have found a suspected IoT device on the network, you have to determine what its function and purpose is. Typically this involves looking up the MAC address of the device in ARP caches to learn the IP address, then doing a port scan to find out if you can Telnet/SSH/HTTP/HTTPS into the device to learn about it.
If it responds to HTTP or HTTPS, then visit the website to learn what its login page looks like. Usually, it will have telltale signs like "Company XXXX HVAC Management Node" or "Printer model x451". Sometimes, right-clicking on the website and choosing “View source” will help disclose copyright information that will help disclose what the device is and who manufactured it.
|Note:||Most IoT devices are connected to the network without any consideration of changing the default password. Thus, you should be able to search the Internet to find the default password for the device and login. It is strongly advised to change the password to a non-default password to prevent the device from being usurped by internal or external actors.|
Who Do the IoT Devices Talk To?
IoT devices typically talk to a specific set of servers. For example: An HVAC management device might have the following communications:
- Controller server (centralized HVAC management system for the enterprise)
- HVAC manufacturer (for updates)
- HVAC service company (for filter changes and servicing)
The controller server may be on-prem or cloud-based. The other communications destinations may be cloud-based, or hosted by the HVAC manufacturer or by the service company directly.
You would want to template each IoT device to learn its communications patterns so you would be able to know when the following occurs:
- Bot command (hacker controlling the IoT device)
All of these communications can be typically seen by analyzing NetFlow records or doing packet capture analysis.
In a perfect world, you would want to set policies where the legitimate communications would be accepted, but anything beyond that would trigger an immediate alert so unauthorized communications can be terminated before problems occur.
PathSolutions TotalView automatically scans to find IoT devices, and identifies what they are and whom they communicate with, so that exposures can be remedied.
Contact us with questions about how PathSolutions TotalView can make IoT network security easier.