Unconfigured internet-connected devices should not be overlooked as a security risk, warns security researcher Ken Munro, senior partner at ethical hacking firm Pen Test Partners, which specialises in the security of internet of things (IoT) devices.
“IoT devices that are not configured are dangerous because they effectively function as open, unencrypted wireless access points, potentially providing a means for hackers to cause disruption or to spy on organisations,” Munro told Computer Weekly.
Many IoT devices work initially in an access point mode, so users can connect to the device using a smartphone to reconfigure it to become a client on the wireless network by entering the network security key, thereby making it much more secure.
But businesses and consumers will often elect not to connect appliances to the internet, believing this is safer. However, this overlooks the fact that these devices are typically designed to act as wireless access points by default.
“This means that if the device remains unconfigured, it will remain in the default state, making it even more vulnerable than if it were connected to the internet and configured,” said Munro.
“Although this opens up another set of vulnerabilities, organisations and consumers are becoming increasingly aware of these vulnerabilities and are therefore more likely to be aware of the risks and how to mitigate them.”
But with an unconfigured device, attackers could use a war driving or access mapping attack, which would make it easy to compromise these devices, said Munro, because the attacker could identify a target wireless network using a geolocation site, such as wigle.net, that shows wireless access points in any given location and enables account holders to search its database for unconfigured IoT devices.
“This means attackers could search for specific device types in a specific location, and then all they need to do is download the appropriate app, connect to the wireless access point of the IoT device and they have full control of that device,” he said.
Coffee makers could be a risk
Businesses could be at risk from consumer IoT devices such as coffee makers or drinks dispensers that are put in the corporate environment, but do not go through an IT security risk assessment and are thought to be safe because they are not connected to the internet.
“There is also the additional risk that if these consumer IoT devices are equipped with a camera or microphone, if the device is compromised, these could be activated to enable eavesdropping in an office environment,” said Munro.
And the risk does not stop there, he added, because appliances that have not been connected to the internet are unlikely to have had a software update since they were first installed.
“This means that an attacker could upload a rogue version of the device’s firmware to modify the way the device works,” said Munro. “A compromised IoT washing machine could be modified so that water pressure causes it to explode or a fire alarm system could be modified to prevent it detecting and responding to a fire. So not configuring a device by not connecting it to the internet is not without risk.”
This is particularly risky with devices such as wireless screen-casters, which are typically used in business environments to share laptop or mobile displays by casting them to a projector in the boardroom.
“Our research has found that these devices are often connected to corporate networks through the network ports when they are installed, sometimes without the company knowing,” said Munro. “This effectively creates a backdoor to the network through an unconfigured device that is not connected to the internet.
“The installer is directly responsible, but the manufacturer is also responsible for not really thinking about how it should be installed, and the end- user for not checking how it was installed.”
Read more about IoT security
Bluetooth connectivity poses an even greater risk than Wi-Fi, said Munro, because users often have no process in place for authenticating or authorising the mobile device they are connecting to, enabling anyone within range to connect.
The inherent security risk of IoT devices has led to calls around the world for government intervention in the form of legislation to ensure all IoT devices conform to minimum security requirements.
In what many regard as a precursor to IoT legislation in the UK, the government has published a voluntary security code of practice for the consumer IoT market that is backed by the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned Data Protection Act in the hope that device manufacturers will follow best practice to win market approval and competitive advantage.
Munro has hailed the code of practice as an important first step to improving IoT security that puts the UK ahead of many other countries, but points out that the code does not appear to address the risk posed by unconnected, unconfigured devices.
“I don’t think it sets out a specific recommendation for radio frequency transmitters and receivers on IoT devices to be off by default,” he said, “and in my experience, as soon as you power up most of these devices, the wireless capability is enabled, with few exceptions.”
Munro believes the wireless connectivity of IoT devices should be off by default and that they should be equipped with a button or some other means to enable users to choose to turn it on and put it into pairing mode. “Currently, IoT devices with this kind of functionality are few and far between,” he said.
Although Munro has carried out proof-of-concept attacks that compromise more complex unconfigured IoT devices, such as screen-casters, to compromise corporate networks and bypass firewalls, he said that if organisations are targeted in this way, they are unlikely to be aware of it without carrying out a forensic analysis of the affected device, but that this is not possible on most IoT devices because of limited functionality.
“Even if you suspected that a device in your organisation had been targeted in this way, it would be very difficult to prove it,” he said, adding that organisations should ensure that all IoT devices are either connected and configured securely or that their wireless connectivity is turned off.
At the time, he said that although the UK code of practice was a good start, there was still a long way to go and he would like to see some basic regulation.
Since then, UK digital minister Margot James has gone on record as saying that legislation on IoT security is likely in the long run, said Munro.
“This is a big step forward and something that I have been advocating for a long time,” he said. “I think IoT suppliers have probably got about a year to start paying attention and to get things right.
“We have to regulate because there are just too many smart products on the market by too many manufacturers who just don’t care about the security risks.”