物联网的阴暗面:潜在的威胁比比皆是

Tony Kontzer

January 06, 2017

随着物联网以这样或那样的方式进入每个企业, it's critical that organizations brace themselves for the risks that come with an around-the-clock network of devices exchanging data. And make no mistake: The risks are numerous, and the list is getting longer all the time.

Like it or not, the IoT is a tempting new target and is also a platform for launching new approaches to tried-and-true attack strategies.

What's more, 物联网的本质——嵌入式设备, convergence, cloud-based controls, and a wide variety of communications protocols — adds some serious challenges to IT security teams' to-do lists. As Ed Skoudis, SANS研究所的教员研究员和渗透测试课程负责人, put it during a keynote panel at the RSA Conference in San Francisco in February, “这件事真的很复杂, really fast."

In other words, IT security teams need to come at securing this fast-growing area with new tools, fresh perspectives, and some serious risk analysis. 在上一篇文章中(链接到第一篇文章), we established the push and pull of the IoT — that it represents significant business opportunities that more than balance out this expanded universe of threats. Now let's drill down into this growing threat profile for a better understanding of what organizations should expect to face.

Ransomware

勒索软件已经演变成攻击者最喜欢的方法, but the IoT is allowing this category to evolve into something much more nefarious. In the pre-IoT "old days,“勒索软件攻击非常具体:坏人可以访问一些数据, locks it up, 要赎金才能拿回来. But attackers have figured out that the IoT allows them to achieve the same result in many new ways.

For example, attackers can use the IoT to literally shut down portions of a business. We saw this last year when attackers took over the room key system of a hotel in Austria. 攻击者有可能接管制造设备, traffic light controls, 甚至是警察和消防调度系统. 其可能性令人眼花缭乱.

即使是看似平凡的物联网资产也可能帮助坏人实现他们的目标. Skoudis told the RSA Conference audience that a recent attack on the San Francisco Transit Authority interrupted its ability to take payments, 但并未影响其MUNI列车的运营能力. SFTA simply allowed passengers to ride for free until it had shored up the vulnerability, 在这种情况下，不支付赎金. 下次，SFTA可能就没那么幸运了.

Things can get even more esoteric when attackers start using the IoT to make it seem like there's an immediate threat.

“如果我能让别人相信我能控制一些事情, 这真的是利用心理学来赚钱," Gil Sorebo, 政府和医疗保健咨询公司Leidos的首席网络安全策略师, 在RSA会议的一个小组讨论中说道.

That psychology will become even more powerful as attackers get more brazen with their demands. 因此，不要指望未来的攻击只会索取1美元,袭击者向奥地利酒店索要800美元赎金. 最终，坏人会找出他们的目标的最佳疼痛阈值.

"They're working on their pricing strategy," Sorebo quipped at the RSA Conference.

DDoS attacks

The potential damage that can be inflicted in an IoT DDoS attack is downright nerve-wracking. The IoT-based attack that used security surveillance cameras to bring down more than 1200 web sites around the world last fall will seem like a trifle compared to the possible scenarios the security community is envisioning.

Take a so-called Smart City. San Diego, which has jumped to the forefront in connecting its array of services via the IoT, 能在很多方面被深思熟虑的攻击所削弱吗.

"Imagine a hacker targeting a city by compromising IP cameras and bringing down police and fire department eyes on the city," Chad Bacher, senior VP of product strategy and technology alliances for security firm Webroot, 他在RSA会议上说. “这比传统It环境的风险要大得多."

End-point proliferation

Thanks to the IoT, the sheer number of possible points-of-entry and devices to protect is steadily growing beyond what most IT teams can keep up with. 继续智慧城市的例子, Bacher指出了物联网所呈现的攻击向量的扩展情况, with remote IP cameras, traffic signals, connected cars, 下水道和供水系统, 电网…这个清单还在继续. 所有这些端点都在相互通信, creating a monumental challenge in managing and securing all of those data flows.

Ed Fok, a transportation technologies specialist with the Federal Highway Administration, got RSA Conference attendees thinking hard when he offered up a scenario in which hackers cut off the warning systems on self-driving cars, 从而防止警告驾驶员即将发生事故的警报. Suppressing an alert could have implications in a number of IoT-enabled settings, 这引发了人们对黑客能够真正“武器化”物联网设备的担忧.

The takeaway is that security teams tasked with locking down IoT devices and networks have to turn over every rock in doing so.

“我们看到了以前从未见过的切入点," said Fok, 拒绝提供详细的例子，以免给坏人通风报信. “我们只能说我们正在寻找，就此打住."

Insider threats

The potential for IoT devices and systems to be used by a disgruntled employee or contractor to launch an attack on their employer represents fertile ground. And given that an insider threat field guide recently released by Intel offers up a matrix of more than 60 attack vectors, IT安全团队必须考虑很多可能性.

Changing risk profiles

The evolution of all of these attack categories serve as a reminder that the IoT increases the speed and scope with which risk profiles are changing. 这对网络基础设施的影响是广泛的, 因为需要加强扫描和监测活动, 网络情报能力也是如此. 从本质上讲，组织需要更加努力地做好准备.

“我们已经在努力考虑10-15年后的事情, 我们需要建立什么样的弹性网络呢?", Gary Hayslip, CISO for the City of San Diego, told RSA Conference attendees. “我对我们引进的这些新东西非常偏执."

And well he should be. But that paranoia shouldn't stop organizations from taking full advantage of all the IoT has to offer. That said, they must take every necessary step to ensure that they've armed themselves sufficiently to prevent the IoT's inherent vulnerabilities from spiraling out of control.

解决黑暗面需要从你的网络基础设施开始. Learn more about the IoT, its impact on your organization’s network and how ALE can help you address it.