Why the Internet of Things is a penetration tester’s most valuable asset.

As technology moves at a seemingly exponential rate of growth and changes every day, more and more devices are being developed to contain additional “customer-savvy” features. Collectively termed the Internet of Things (IoT), this new wave of technology is vast. Where historically a system in question would be a server or workstation, the type of devices covered under the IoT umbrella could range from a vending machine to a traffic light.

Smart TVs, thermostats, and robot vacuums are just a few examples, each with its strain of services and features meant to benefit the end-user. Although this Star Wars-esque world of human and machine symbiotic relationships might sound exciting to some, it sounds like a nightmare to any security-minded individual.

Every feature, package, software update, or service provided by a device can be thought of as another hole in the hull that is the security of your organization’s fleet. If it can talk, it can walk.

Bad Thermostat

In July of 2017, the Washington Post released an article describing a successful exfiltration of over 10GB of data from an American casino by hackers. How could the malicious hackers possibly have infiltrated such a closely monitored facility such as a casino?

The answer: a thermostat on a fish tank. The smart thermostat was connected to a PC, from which the hackers were able to reach deeper into the internally networked systems present in the casino. The casino did not secure their entire scope, which included IoT devices, and suffered from it. They could have had outstanding physical security procedures, data sanitization policies, system security, and patching procedures, but none of it mattered because of one tiny window of opportunity that the adversaries took advantage of.

The thermostat in the casino story is what someone in the penetration testing business would call a pivot point. Anything that acts as a gateway from the attacker to an additional target can be thought of a pivot point. These outposts can prove extremely valuable to a penetration tester.

Chances are that if the device is offering a service, that service can be taken advantage of. There are examples of manipulation with TVs, smart fridges, or in the case of the casino, thermostats. It’s important for security leaders to think about their entire asset inventory and network topology as a dynamic environment.

One can easily fall into the mindset that sectioning devices ensures that they are segregated – it doesn’t. Just because a hacker on device A can’t reach device C directly doesn’t mean that they can’t reach it via device B.

Don’t Leave IoT Out of Your Security Vision

From a hacker’s point-of-view, and more importantly from an actual threat actor’s point-of-view, the thought of more and more entryways with their respective vulnerabilities is mouthwatering. With a higher number of opportunities comes a higher rate of success.

When mitigating risk, it’s critical to gather the whole scope in question, including IoT. Even if production and development servers employ proper access controls, patching schedules, and are properly segregated on the network, it doesn’t mean the job is done.

Technology is moving towards an ever-increasingly connected world, and it’s the responsibility of all of us to ensure that device-to-device communications are not jeopardizing the security of environments.