A nightmare before Christmas 

We have finally reached that time of the year; Black Friday sales, and the holidays are just around the corner… But while you were enjoying your online shopping spree for your new Apple watch, or Alexa smart speaker, did you stop to think about the risks of vulnerabilities in IoT devices? When talking about good cyber hygiene, there is often an emphasis on network and endpoint security, antivirus software, multifactor authentication, setting strong passwords etc. Such practices defend against several threats, but is that all there is? What if there was a silent threat, one that the recommended best practices fail to defend against?

Lights out: 

We are more and more dependent on technology – computers, cellphones, smart bulbs, smart surveillance systems, smart baby monitors, and so on. Such devices simplify our daily lives, but they also represent a threat as each one provides an entry point to the network.

Imagine the following scenario. You invited an old acquaintance to your home who asked to see you for a catch up. This old acquaintance of yours arrives, and you start chatting. At some point, you need to use the bathroom.

After a couple of hours, your buddy goes back home, and a little while later, in the middle of the evening, things start getting scary. Your lights are going crazy, flickering on and off without you touching anything; a strange voice comes out of your baby’s monitor, but no one else is in the house; your kitchen boiler turns on without your command. This could only mean one thing: “My house is haunted!” You try to escape, but the door won’t open – your smart locking system seems to be out of your control. Of course, there is a reasonable explanation for this, and it doesn’t involve the supernatural – more like a bad actor trying to give you the fright of your life.

Let’s break down this case. The bad actor just so happens to be your old acquaintance. When you went to the bathroom, he plugged a malicious USB key into one of your smart devices, creating a backdoor to the network. Now with a foothold inside, he was able to take control of the other internet-connected devices in your home through lateral movement.

While this might seem farfetched, it is a very possible scenario. But, more importantly, it highlights the risks of IoT devices and how they can get used by hardware-based attackers needing physical access to their target.

Shining: 

In a more likely scenario, smart home devices present a risk to organizations. Many companies implement BYOD (Bring Your Own Device) policies, which often permits employees to use their BYODs remotely, especially as the teleworking trend grows. While it may be cheaper for a company to use this strategy, it brings a significant threat: the devices storing company data are more exposed. In the scenario above, the attacker could have used the IoT as a gateway to a BYOD, where he could retrieve confidential company data. And with an average of 25 smart devices per household, there are several entry points for attackers to choose from-making the risks of IoT devices higher than one may think…

Using a hardware attack tool, such as a rogue USB thumb drive, allows cybercriminals to conduct their malicious activity covertly. Such devices operate under the radar of existing security solutions due to a lack of Layer 1 visibility, thus raising no security alarms, and their benign appearance causes no suspicion.  While one might think that there is no solution to such a threat, there is a (smart) light at the end of the tunnel.

Shine a light: 

Sepio’s HAC-1 solution is capable of identifying spoofed USB devices and network implants. The HAC-1 solution uses Layer 1 information to calculate a digital fingerprint of all IT, OT and IoT assets, meaning every device gets identified as what it truly is. Additionally, the comprehensive policy enforcement mechanism of the HAC-1 solution, combined with its Rogue Device Mitigation capability, means that any unapproved or rogue hardware is blocked instantly, preventing any lateral movement. Sepio’s technology enables data protection at an unprecedented level thanks to complete device visibility; existing solutions are put to better use, and Zero Trust Hardware Access get achieved. With HAC-1’s Layer 1 visibility, no one is going to dim your light.