Recent cyberattacks that harnessed digital devices to cripple websites confirm the concerns cybersecurity experts have long expressed about the threat posed by the internet of things (IoT). Many connected corporate devices, from VoIP phones and connected printers to smart video conferencing systems, have outdated firmware and can be hacked in minutes, according to new research from ForeScout Technologies.
"The IoT is the new battleground for security," says Pedro Abreu, chief strategy officer at ForeScout, which makes software to help companies find and protect devices on their networks. "It's where the entry points are that are really making you vulnerable."
CIOs have spent the past two decades using firewalls, antivirus and anti-malware tools to build protective moats around servers and PCs. But it's what Abreu calls the "unusual suspects" that can wreak havoc. Hackers are weaponizing digital cameras, video conferencing systems, DVRs and other Internet-connected devices, triggering massive distributed denial-of-service (DDOS) attacks that grind websites to a halt.
IoT devices are easily hackable
Enlisting an IoT device for a DDOS attack isn’t hard. ForeScout hired self-described ethical hacker Samy Kamkar to demonstrate how to hack and command an enterprise-grade security camera, which was unmodified and ran the latest firmware from the manufacturer.
In less than an hour, Kamkar exploited the device's default password, gained root SSH access and planted a backdoor that will allow him to continue controlling the camera even if the administrator changes the password. He also installed a backdoor that enabled him to create an outbound connection to launch various attacks from the device.
"[The exploit] gives hackers full privilege and allows them to control the device completely, or use it as proxy to hit other systems in that network or even other organizations on the internet," Kamkar says. The camera can then be joined with thousands of other devices, coalescing in a botnet capable of launching a DDOS attack, Kamkar says.
If Kamkar's exploit sounds familiar it's because this was exactly the kind of DDoS attack that brought down Twitter, Feedly, Netflix, Spotify and several other websites last Friday. The attack exploited manufacturer-set passwords to enslave more than 100,000 webcams and DVRs in the Mirai botnet, which in turn bombarded the network infrastructure operated by internet address look-up service Dyn, preventing customers from reaching more than 1,200 domains. The Obama administration has vowed to take steps to mitigate these attacks.
Abreu says that the Dyn attack prohibited ForeScout from accessing some of its corporate cloud services, including Salesforce.com and Okta. It was an inconvenience, though Abreu said it would have been far worse if, for example, ForeScout's sales staff couldn't access their customer data in Salesforce.com to complete a quarterly close.
Sign up for Computerworld eNewsletters.