It is well established that IoT devices greatly increase the security challenges of defending corporate networks, and a recent PwC survey reported that 71% of manufacturers plan to deploy IoT devices, despite the associated risks. It seems like the IoT train has left the station and is rushing full steam ahead towards the horizon.
In order to continue to travel safely, enterprises must understand the risks of deploying IoT devices and how to mitigate them. This assessment process should consider the devices that create the risk, an analysis of the type of attacks that they can be used for and the potential implications and regulatory risks.
When it comes to leveraging vulnerabilities on these devices, one area that is frequently overlooked is Bluetooth. This low-powered wireless technology is on every endpoint, widely used in IoT devices is often active and usually discoverable by default.
It’s easy to think of Bluetooth as a relatively harmless technology from a security point of view. It’s widely believed that it’s apparent short range means attackers have to be in very close proximity in order to exploit it and that there’s not much they could do with it even if they were.
Bluetooth connections are encrypted, but that has not stopped researchers finding vulnerabilities allowing them to eavesdrop on connections between phones and headsets. Bluetooth can be used to transfer files from one device to another, so if an attacker could access a device via the Bluetooth protocol they could also potentially access sensitive information on that device.
The apparent “10 metre range” is also vulnerable. Using a directional antenna, Bluetooth discoverability can be extended to over a mile. Range can also be extended by piggybacking signals off other devices or by using Bluetooth beacons.
One of the biggest issues exploiting Bluetooth vulnerabilities is BlueBorne. First revealed in September 2017, BlueBorne is a collection of vulnerabilities that can allow an attacker to take over a device, infect it with malware or establish MITM attacks. Patches have been made available and most up-to-date PCs, smartphones and Apple devices are now protected, but legacy devices and unpatchable Android devices remain at risk.
The risk of BlueBorne is magnified by Bluetooth mesh networking, which allows many-to-many connections meaning an attacker could easily jump from one device to another and build a Bluetooth botnet.
More recently, a threat known as BleedingBit emerged, exploiting two, critical chip-level vulnerabilities in Bluetooth Low Energy chips made by Texas Instruments. These chips are so common, attackers could simply walk into the lobby of a company, scan for available Wi-Fi networks and begin their attack. Critically, BleedingBit does not require attackers to be paired with the target device or have any prior knowledge of the device’s information.
How to protect the enterprise
Some security software makes this easier than others. The recent International Botnet and IoT Security Guide by the CSDE (Council to Secure Digital Economy) states that botnets are more frequently targeting enterprise IoT and other IoT devices with more complex processors and architectures. And indeed, the risk will increase as more devices find their way into corporate environments.
Where possible, consider the options for physical hardening of the device to prevent tampering and unauthorised access. Is the device located externally to the premises (for example, security cameras in parking lots or other publicly accessible areas)? If so, consider how and under what circumstances you would be able to detect if it had been tampered with.
Securing your IoT devices also encompasses your process for decommissioning used and obsolete equipment. IoT devices can contain sensitive data about your network or business, so they need to be disposed of carefully. In one experiment, researchers reverse engineered a simple ‘smart’ light bulb after use, and were able to retrieve the WPA2 key for the network it had been connected to as well as the root certificate and RSA private key hardcoded by the device manufacturer.
Mitigations are available to ensure devices are protected from Bluetooth attacks. Firstly, for devices equipped with Bluetooth, but not actually using that functionality, ensure that Bluetooth is turned off! Where this is not possible, ensure that all devices are fully patched.
Implementing Bluetooth device control across all endpoints within the organisation will address the more serious bugs and vulnerabilities such as those mentioned earlier.
It’s vital that your enterprise is aware of the risks IoT devices present and that it develops policies to govern how these devices are procured, monitored and decommissioned. Bluetooth vulnerabilities may seem an unlikely route for malicious actors to take, but the vulnerabilities outlined earlier, and the attraction of reaching even air-gapped systems means attackers won’t hesitate to exploit Bluetooth devices.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.
