I have talked about keeping IOT(Internet of Things) and BYOD(Bring your Own Devices) out of your internal network privately for a while. I have often told my clients in private that allowing employee(or guest) devices on your internal network is a bad idea and have advocated for physical isolation of those devices from your internal network. I am not an advocate of VLANS. To me that means a separate physical wire for them and that is how i setup isolated networks. With things like Nest and Ecobee in the “smart thermostat range” and all the other devices that now populate(or infest) your network you REALLY need to consider the astounding lack of security in these devices. From thermostats to TV’s to consoles to tablets and phones and beyond…the amount of things that want access to the Internet is growing beyond control. The only way to keep these things from being a direct line into your network is to either not allow them access at all or put them on an isolated network altogether. Brian Krebs shows just one of many horrid security defaults by various IOT vendors. According to this article Trane has some really bad settings in its smart thermostats. I’ll post a good chuck of the article..no need to reinvent the text:
One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.
The two other bugs Cisco reported to Trane would allow attackers to install their own malicious software on vulnerable Trane devices, and use those systems to maintain a persistent presence on the victim’s local network.
On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts.
What does this mean for the average user?
“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”
Hidden accounts and insecure defaults are not unusual for IoT devices. What’s more, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. Trane’s instructions for applying the latest update are here.
“For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario,” Williams wrote in an email explaining the research. “I suspect as we start seeing more IoT devices that require security updates this is going to become a common problem as the lifetime of IoT devices greatly exceed what would be thought of as the typical software lifetime (2 years vs 10 years).”
If these IoT vulnerabilities sound like something straight out of a Hollywood hacker movie script, that’s not far from the truth. In the first season of the outstanding television series Mr. Robot, the main character [SPOILER ALERT] plots to destroy data on backup tapes stored at an Iron Mountain facility by exploiting a vulnerability in an HVAC system to raise the ambient temperature at the targeted facility.
Once these things get released they often never get any further updates(at least Trane patched one of the 3 major issues). If you want to keep your network secure you need to get IOT and BYOD devices off of your network. Contact ETC Maryland on how to keep your networks safer in this sea of insecure devices.