IoT–Internet of Things–describes a set of devices that contain simple computer systems or microcontrollers, and can also connect to the internet. IoT–can be found in many modern households; thermostats, lights, and security cameras are all some examples of modern IoT systems. Some other less considered IoT devices can also be MRI machines, X-Ray imaging systems, plastic blow-moulds, aluminum extruders, elevators, HVAC controls for skyscrapers, and even entire control systems for cargo containerships. Sometimes the distinction between IoT and other types of control systems can get a little fuzzy, as more SCADA systems start to support wireless and ethernet services, the clear segments between a supervisory control network and the internet starts to blend in, and can introduce considerable risks.
For example, one of the Coalition Security Engineers had a former life working in management consulting for global F500 clients; while touring the floor of a large manufacturing facility in Germany, the Security Engineer noticed that a new control system for an extruder included a ruggedized tablet. While the tablet was only intended to be connected to the extruder with a physical cable, the operators of the extruders quickly learned that they could enable the wireless interface, and connect to the guest network to browse the internet. In this case, malware and other threats could enter the network that was never hardened to defend against such risks.
Because IoT devices are built to connect to the internet–often using minimal versions of modern operating systems–the functions of the device can often exceed the use case. Similar to the extruder control system tablet that also supported WiFi, these additional capabilities can be leveraged in many ways, some benign, and some malign.
Because these IoT systems are the minimal operating systems, they do not contain anti-virus, and are unlikely to receive security updates. To understand the risks, consider the example of the lowly office printer, one of the first IoT devices we all love so much. These devices are great places for hackers to hide. No antivirus, usually great network performance and interfaces, good memory–a virtual homestead for hackers evading detection and living off the land. For some great reading, see the aptly named site: http://hacking-printers.net/ contains many such examples of how printers and similarly IoT devices can be misused. A framework for other IoT devices also exists: https://expliot.io/. Many of these IoT devices also utilize “diskless” memory called firmware that is used to store the operating system and boot the device, there is also a robust ecosystem of firmware extraction and exploitation to include such tools as binwalk and companies like ReFirm Labs https://www.refirmlabs.com/ that enable analysis of IoT vulnerabilities by examining the device firmware.
IoT devices are the tsunami of connected devices surging onto the internet; misuse of these devices will see IoT toasters participate in DDoS attacks and the like, and also serve as unintended gateways into protected and “isolated” networks.