Extended IoT devices (xIoT) stand as a perennial favorite for cyberattackers seeking to move laterally and establish persistence within enterprise networks. They've got everything the bad guys need for a foothold: They're grossly under secured, they're present in large numbers (and in sensitive parts of the network), and, crucially, they're typically not well monitored.
In an upcoming session at RSA, security researcher and strategist Brian Contos will walk his audience through the ways that these devices can be used to create very broad attacks against enterprise resources, along with what security strategists should be doing to counter the risk.
"I'll be doing some xIoT hacking demonstrations, because everybody likes to see things broken into," says Contos, chief strategy officer for Sevco Security. "But in the xIoT world it's quite easy to compromise, so I won't focus on that but instead on how it can be used as a pivot point to attack on-prem devices, in-cloud devices, to steal sensitive data, maintain persistence, and evade detection."
His goal is to show the entire life cycle of the attack in order to demonstrate the weighty ripple effects that are in the offing from leaving xIoT devices unmanaged and unmonitored in enterprise environments.
The Prevalence of xIoT Insecurity
As Contos explains, xIoT devices typically fall into three device categories that all proliferate significantly in business environments. The first are the enterprise IoT devices like cameras, printers, IP phones, and door locks. The second are operational technology devices like industrial robots, valve controllers, and other digital equipment that control physics in industrial settings. The third — and often least remembered — are general network devices like switches, network attached storage, and gateway routers.
"The thing all of these devices have in common is that they're all purpose-built devices, created for one specific purpose," he notes. "They're network connected, and you can't install any additional 'stuff' on them. So, you can't put a firewall or an IPS, or antimalware on them. So, all of the traditional IT controls don't necessarily fit well in this world of xIoT."
He says his research over the last couple years has shown that in the typical enterprise network, there are usually three to five xIoT devices per employee floating around. In some industries — such as oil and gas or manufacturing, that number can scale upward to more like five to six devices per employee. So a manufacturing company with 10,000 employees could easily be looking at 50,000 of these devices on their network.
"And what you're going to find is that about half of those are running a default password, which takes all of a half a second for me to look up on Google," he says. "If I Google, 'What's the default password on an APC UPS system, it will tell me the default username is 'apc' and the default password is 'apc.' And I can tell you from experience, I have yet to have ever seen an APC UPS system in the wild that doesn't have 'apc-apc' as the username and password."
On top of that, he explains that more than half of xIoT devices are also running critical-level CVEs that require little to no hacking expertise to leverage remotely and gain root privileges on the devices.
"Because of the volume, if you don't get into the first 1,000 to 2,000 devices, chances are you are going to get into the next 1,000 to 2000," he says.
The Lessons Learned
Contos' hacking demonstrations will dive into how a different device from each of the xIoT device categories can be used for a myriad of attack purposes, from turning off power to destroying an asset, and exfiltrating sensitive data to expanding attack reach across a network. He will share information on xIoT hacking tools that nation-state actors have built and explain how the threat actors are putting serious money into investing in these kinds of attacks.
"I want the audience to understand how easy it is and to understand this is a risk that requires some focus within their organization," he says.
As a part of the discussion, Contos will discuss countermeasures that include solid asset management, identity management, and patch management around xIoT, as well as compensating controls like segmentation and MFA in order to harden the xIoT attack surface. He also says he hopes to explain that defenses shouldn't be planned "in a bubble." This is not the kind of security measure that should be developed by a special task force that's removed from cloud security and other security groups, in other words.
"This should all be integrated because all of these devices touch each other," he says. "It should be part of one larger approach."