Call to action on IoT security

Large offices, schools or universities can have over 100 hardware controllers in their organisation.  This is used for meeting room, audiovisual and building control systems. These devices are shipped with default passwords that can be found with a quick google search.  Furthermore, with DHCP enabled these devices can find their way onto the internet. This creates a gateway into the broader corporate network as these controllers are connected to other devices. 

At the heart of this problem is the lack of awareness within the organisation. It is unlikely that the IT department enforce their security policies when it comes to audiovisual and building devices. Obviously this needs to change. IT security is no longer exclusively for PCs, laptops and mobile devices as almost every device in the modern building is network enabled. The Internet of Things (IoT) has been a reality in the commercial building sector for over a decade. Now IoT is going mainstream and this means hackers are becoming aware of these security vulnerabilities. 

 

Recently, an IoT search engine was released that makes it extremely easy to find the weakest link on the network. Simply search for the controller product name and hit search. You will get a list of every hardware controller that can be seen on the internet- including it’s IP address. Type that IP address into your browser and you can control that room or building. Take it a step further and use a terminal window to discover additional connected devices by using the hardware controller as a bridge. 

Big companies have been hit by this in the past. This is how Google was hacked in 2013. Since then nothing has changed, organisations continue to roll-out hardware controllers with default passwords. The only difference is the IoT search engine has made it easy for ANYONE to exploit this hacking method. 

 

As we (ACAProjects.com) focus on providing Web-Standard control platforms we work directly with the IT department. This allows us to meet specific security requirements and integrate into corporate authentication such as ADFS. There is no such thing as a default password, communication runs on standard ports and we integrate into their firewall policies.

The frustrating part is we are often forced to jump through hoops and security checks that are mostly irrelevant. To date, the security audits we have gone through are so general that they are easy to pass but so time consuming that they are hard to get through. I think Bruce Schneier's Ted talk on "the security mirage" is a good summary on why we have to go through so much process. The "theatre of security" makes us feel secure but doesn't actually do anything.  What I would love to see is a Smart Building security check that is relevant and specific to the desired application; secure control and automation of devices.

I would also like to see  IT departments  put the hardware based controllers to the same level of security assessment as any other application on their network. I am confident that their own policies would force them to remove every controller and never purchase such hardware again. The fact remains that their hardware controller is a weak point on the network with no authentication integration. Even if they have changed the default password it is still a single password that an ex-staff member could share and a number of contractors can access. 

I was going to end this by post by listing a few organisations that are at risk. But I do not want to seem like I am encouraging any attacks. I’ll sensor this by describing a few of them. The following organisations have hardware controllers exposed to the internet. My guess is at least half of these will have a default password or no password at all.  

  • One of the largest state Universities in the US
  • One of the top ten ranking Universities in the world on the East Coast of the US
  • One of the biggest cable TV providers in the US. 
  • A US State government office
  • A major University in Victoria 

 

TAKE AWAY POINTS: 

  • There needs to be a specific IoT corporate security audit process and policy
  • If you use hardware based building/AV controllers follow the steps below. 

 

CALL TO ACTION: 

  • Change your default passwords. 
  • Set static IP addresses on devices and create an isolated AV or building control VLAN.
  • Make sure your building network is not exposed to the public internet. I.E Don't enable DHCP on a device and plug your unmanaged network switch into a port with internet access
  • However, if you need internet access to the building control network limit it to specific ports, disable Telnet, require a VPN and/or integrate every exposed system to your corporate authentication to manage access levels. 
  • If your controller does not support your corporate authentication system (and therefore basic corporate security) it might be time to look at other options. 

 

Jon McFarlane