New Security Risks Posed by Wearables & IoT

Cyber Risk

/

April 25, 2019

Aaron Kraus

What are these devices?

The terms "Wearables" and "Internet-of-Things (IoT)" enjoy plenty of marketing buzz, but how many people fully understand these now ubiquitous technologies and the challenges they bring to cybersecurity? Wearable devices are typically limited-capability devices designed to be worn by one individual. Limited-capability refers to their design as single-user devices (obviously some smartwatches are quite powerful, with AI-backed personal assistants built in). Think of smartwatches, step counters, and sleep trackers.

The Internet-of-Things is a deliberately vague term because it refers to connecting pretty much anything and everything to the Internet. In general, IoT refers devices that provide an interface between the physical and virtual worlds, such as internet-connected dishwashers, thermostats, and home automation systems. The category increasingly includes elements of autonomous vehicles, and parts of industrial control systems as well.

Risky Business

Whether we like them or not these devices are entering our businesses, and they bring significant risks. Below are examples of the risks these devices can present:

  • Lights out: LiFX light bulb, an IoT device that exposed sensitive info like network passwords & internal device secrets when discarded (see limitedresults.com/2019/01/pwn-the-lifx-mini-white for full details)
  • Mirai Botnet: a network of compromised IoT devices like CCTV cameras, caused disruption to major online platforms like Twitter and Netflix. Operators of these cameras became unwitting participants in DDoS attacks.
  • Alexa in the office: my dentist’s receptionist brought an Echo Dot to work. Given that she talks about treatments and payment details all day, I have to wonder: Is Alexa’s speech cloud HIPAA- or PCI-compliant? If not, is that unwanted eavesdropping?
  • Remote workers: Do your employees work from home? Do you know if they’ve got Google, Siri, or Alexa listening in to your business conversations?
  • Fitness trackers: A-fib and CJIS: Atrial fibrillation (irregular heartbeat) can be detected by many fitness trackers, which also connect to your company WiFi. Criminal Justice Information Services (CJIS) defines protection requirements for data used in support of criminal investigation/prosecution.
  • Employee data and compliance: If an employee has a heart attack, or downloads video of a burglary from their smart doorbell, does that change your company’s compliance requirements due to the types of data being stored on your network? How would you even know that data is being introduced to your network?

With all these potential risks, why are we using these devices? From a business’ standpoint, IoT and wearable sensors are a vital source of information in the knowledge economy, and they can offer significant cost savings (a camera can monitor and alert on activity 24x7 for a fixed cost, while a human guard doing the same would be exponentially more expensive). Employees and consumers find these devices valuable for many of the same reasons - for a relatively little cost, we get extra convenience like lower energy bills or better health outcomes. Plus, shiny gadgets are just fun - being able to ask Siri for lighting that matches my mood is pretty cool (yes, I have asked for my Northern Lights scene while watching Frozen)!

Five Key IoT & Wearable Risks

Given that these devices are entering our businesses, and there’s little chance that trend will slow down, how can we start to address the risks posed by wearables & IoT devices? Below is a set of five key risk vectors and associated countermeasures to help mitigate them.

1) Low-power devices without sufficient processing capacity for security controls

  • These devices often lack common security abilities such as complex passcodes or device encryption.
  • Consider additional compensating controls like logical network segregation,  additional network monitoring, and more stringent network access control to block devices that are too limited.

2) Devices are often unsupported due to low cost, produced by companies without skills/focus on security, and a “set-it-and-forget-it” mentality

  • Companies selling cheap connected lightbulbs have no financial incentive to patch software flaws, or worse, may not have the right skills to build secure products. Users of these products don’t think about things like software patches for their lighting!
  • Businesses may need to focus security effort in non-traditional areas like facilities management, and implement additional oversight. This could be in the form of additional audits (e.g., physical walkthroughs to spot IoT devices), and more robust network management such as IP Address Management (IPAM) to identify these devices upon connection.

3) Persistent internet connectivity

  • In order to be useful, these devices need connectivity such as WiFi or Bluetooth to share data.
  • To address this risk, data and network management controls like segregation, AI-powered monitoring and rules enforcement may be appropriate to spot unusual behavior (why is my thermostat suddenly sending 1 Gbps of traffic?). Operational controls such as SOC functions or MSSP monitoring must evolve to include these devices.

4) These devices can cause damage in the real world

  • A malfunctioning laptop can do a limited amount of damage; a hacked thermostat or healthcare device can cause serious life, health, and safety problems.
  • To counter this risk, any IoT system should have adequate manual backups/overrides available, such as emergency power off or fallback to non-connected controls.

5) Lack of visibility to corporate management (converges/accelerates Shadow IT & BYOD trends)

  • Anybody can bring an Alexa-enabled microwave into the office kitchen, suddenly adding a smart device to your network with little to no visibility beforehand
  • Policy & process (it’s nobody’s favorite, but unfortunately must be done), including training and awareness of general risks and company policy related to IoT and Wearable devices
  • Example: No digital assistant devices allowed in home offices
  • Ensure you’ve got insurance that adequately covers your organization’s data and work arrangements, including these new types of devices.

This list of risks is by no means exhaustive, but can be used to start conversations and get your risk management team thinking about the risk from wearables & IoT. Cybersecurity risk management needs to be part of and have visibility into all business operations and decisions. Failing to adequately address these risks can make your organization a victim or, worse, an accomplice in cybercrime! Protect yourself today using Zeguro's constant monitor software to keep your business safe.