Last April, OpenDNS Director of Security Research Andrew Hay decided on a whim to give a quick talk about information security and the Internet of Things (IoT). That talk kicked off a year-long process for Hay that would lead to him combing through terabytes of network traffic logs from around the world, organizing late night hacking sessions on Internet-connected TVs, and alerting multiple IoT infrastructure providers on exploitable vulnerabilities in their own systems. After months of detailed research, Hay says that he and the rest of the OpenDNS Security Labs team are ready to publicly share the first data-driven research paper that analyzes the security risks present in the enterprise Internet of Things.
The report, titled the “The 2015 Internet of Things in the Enterprise Report” and available today on the OpenDNS website, provides a never-before-seen look into the security implications of IoT devices used in modern business environments. Using anonymized data collected from over ten thousand networks during the first three months of 2015, the report not only identifies the IoT devices that are most prevalent in the enterprise, but also reveals serious vulnerabilities that were discovered in the infrastructure used to connect these devices to the Internet.
“I didn’t think that I’d be dedicating this much time or resources to the research, because I thought I would just find some toys that were beaconing out to the Internet,” said Hay. “I didn’t expect to find consumer storage devices in regulated industries that are uploading data to the Internet. I didn’t expect them to be connecting to infrastructure that was susceptible to patchable vulnerabilities.”
Hay says that his first interest in IoT security came after he was invited to speak at the 2014 SANS Digital Forensics and Incident Response Summit in Austin, Texas. As part of a series of lightning talks, Hay delivered a six minute presentation called the “Internet of Perjury (IoP): Asset Identification and Confirmation.” Many of the key points laid out in that talk, such as how analysts could identify the IoT devices on their own networks, how they can analyze the security implications of those devices, and what security risks are presented by different IoT device categories, were not being widely discussed by information security professionals.
“How prevalent are these devices? How exploitable are they? How concerned should we be from a law enforcement perspective, in terms of using them for digital evidence? When I looked around before presenting this talk, nobody seemed to know,” said Hay.
Act I: The Plan
When asked about what sets this report apart, Hay points to the fact that the report is not only data-driven, but that it is the first of its kind to use traffic from live enterprise networks. He knew that by drawing on OpenDNS’s unique view into the network traffic requests of over 10,000 businesses around the world, he would be able to see more IoT device traffic from a global perspective than almost anyone else. But collecting data on IoT devices still wasn’t going to be easy.
“When we first started to look at the popular IoT devices that people use, we found the actual documentation to be really sparse,” said Hay. “They didn’t tell you what networks or domains to allow and there was often no information about networking at all beyond ‘make sure this device can talk to the Internet using HTTP or HTTPS.’ This goes against what security people have been taught, in terms of locking down communications for any device on the network.”
Act II: The Data
Hay then began using OpenDNS’s Investigate tool, supplemented with IoT device API documentation and published research from third-party sources, to begin building a list of key indicators for the network traffic from most of the popular IoT devices. For devices ranging from Fitbit wearable trackers and Western Digital My Cloud personal hard drives to Samsung Smart TVs, Hay could use these indicators to cross-reference the device queries with a list of anonymized enterprise organization IDs. From there, he could identify the devices that are present in specific industry verticals.
Identifying which services the IoT devices were querying gave Hay a list of the infrastructure that the devices were relying on to provide updates, store data and more. Using third-party tools such as the SHODAN search engine, Filippo Valsorda’s Heartbleed Test and Qualys SSL Labs’ online scanner, Hay could then sequentially examine the backend infrastructure to see which domains were secure and which ones contained obvious vulnerabilities that could put enterprise users’ data at risk.
Act III: The Results
Despite containing billions of combinations of domain names, origin and destination IP addresses, Hay says that the data quickly revealed specific security information once he applied the right tools. IoT devices were long ago identified as potential problems for the enterprise, due to how difficult it is to patch them and the fact that they often transmit data without the user’s knowledge. Not only are these problems also associated with the Internet connected USB hard drives and smart TVs found in some of the world’s most highly-regulated industries (including the oil and gas, healthcare and financial services verticals), but the infrastructure supporting these devices contains security issues, as well.
The most prominent consumer storage devices found in the enterprise were Western Digital My Cloud hard drives. In addition to the risk that sensitive data could be uploaded to the cloud by employees, previous research showed that these hard drives are susceptible to a configuration flaw that could make the data on the drives show up in Google search engine results.
Samsung Smart TVs, by far the most widely-used devices of their kind, essentially act as web servers behind the firewall. In addition to the TVs acting as a potential route for network compromise, they continually beacon out to an online service that may or may not be maintained by the device manufacturer (Hay says that Samsung had not responded to his inquiries at the time of publication) — another possible way for bad actors to take over a device on an enterprise network.
“These devices are making their way into our corporate networks, but they’re not being treated with the same care and due diligence that we treat enterprise appliances,” said Hay. “We’re just plugging these into the sensitive networks, when they’ve been designed for the home and tested only as a consumer device.”
Several IoT hosting platforms were also found to contain known vulnerabilities. One case, Hay found an IoT service that was vulnerable to the Heartbleed vulnerability, a serious and highly-publicized SSL flaw first revealed in April 2014 (the service has since been patched). Dozens of other domains were vulnerable to the FREAK vulnerability or used older, insecure cryptography to encrypt the traffic from IoT devices. Hay said that he worked with several vendors prior to the report’s release to make sure the flaws in their systems were patched.
Hay says that an even bigger and potentially more troubling prospect is the idea that older devices may rely on infrastructure that is eventually moved or not maintained.
“Some of the issues that are known with medical devices, specifically is that they run embedded operating systems that are rarely patched or protected,” he said. “These are beaconing out to the Internet for updates, to domains that have the potential for being hijacked or even disrupted. That’s an obvious security concern.”
A year later, Hay says that his work on IoT research is still unfinished. In his original talk, he spoke about creating a way to share data on IoT devices with other security professionals and researchers–something that he hopes this report will partially achieve. He’s also interested in building on the work he’s done thus far with more in-depth analysis of IoT devices in a controlled laboratory environment. Hay also points to the Cloud Security Alliance’s work on early IoT adoption as a good place to start for security professionals who are looking for guidance on how to secure their networks and IoT devices.
“It’s inevitable that more standards, programs and best practices will be built to guide the safe adoption of IoT devices in the enterprise,” he said. “I think there needs to be a partnership between new IoT startups and the security industry to make sure that device manufacturers are operating safely and securely.”
As part of our efforts to help security professionals gain better awareness and visibility for IoT use in their businesses we have updated the Cloud Services Report feature — available to customers through the Umbrella platform dashboard — to now identify the IoT devices present on their networks. The Cloud Services Report feature helps security professionals determine whether employees are using the cloud services sanctioned by their company’s IT department or other, unapproved services. It is available to all OpenDNS Umbrella Insights and Platform customers as part of their normal subscription.
To learn more about the Cloud Services Report feature, visit https://www.opendns.com/enterprise-security/solutions/cloud-services-report/.
To sign-up for a free trial of OpenDNS Umbrella Insights and find out what IoT devices are present on your network, visit: https://signup.opendns.com/freetrial/.
Have questions for Andrew, or just want to learn more about the report? Join us for a live Twitter chat with Andrew Hay and OpenDNS senior security researcher Mark Nunnikhoven at 10 AM PT on Tuesday, June 9th! Tweet us your questions with #RIOT15.