Today’s news I had to read twice – devices using a ThroughTek chipset contain a significant vulnerability that needs to be addressed quickly or else cyber criminals could take control. I read twice because I first thought “wait a minute, I blogged on this a couple months ago”. Upon further reading it turns out this is a brand new vulnerability, and potentially a more devastating one – impacting over 83 million devices and enabling devices to be remotely controlled and exploited.
According to Mandiant (who discovered it), this vulnerability would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality.
This opens up many possibilities for serious malfeasance. For example, using the captured video a deepfake version could replace the actual footage. Audio could be modified or inserted. Camera positioning (for example, with a pan/tilt/zoom camera) could be changed so hackers are watching employees enter login credentials or observing their patterns and behavior in the office to gain additional recognizance. Malware, ransomware, and other forms of remote code could be deployed and spread from these vulnerable devices.
This vulnerability also highlights a major issue in how IoT/OT networks are setup and managed. Many organizations will put these devices on segmented networks, separate from the corporate networks and theoretically firewalled off to prevent breaching corporate resources. In reality, unless run and managed directly by corporate IT these segmented networks often “punch through” into the corporate network as non-IT personnel manage and run them. As noted ethical hacker Chris Roberts recently commented, “we’ve often used surveillance systems as pivots into the corporate environments because we again see where too often the physical and digitals security folks are not talking in an efficient way. The same can be said for the audio/visual folks as well”.
When you assess your choices on how to address this critical vulnerability (and most IoT cyber vulnerabilities), you really have 4 choices:
As far as vulnerabilities go, this one is very serious: it got a severity rating of 9.6 out of 10. Therefore it’s a high priority to remediate this vulnerability – that’s where automated solutions are needed. Updating/patching firmware on 83 million devices is near impossible if it requires a technician to grab a ladder and manually update each device. Same with rotating passwords and ensuring default or easily guessed passwords are not being used. And because this vulnerability allows a “man-in-the-middle” type attack where a rogue device is added to the network, using 802.1x certificates to authenticate the device and encrypt traffic.
- Ignore it: clearly not acceptable from a corporate risk standpoint, especially with a severity score of 9.6.
- Use network access control to block these devices from the network: this may protect the network, but it also has stopped these devices from performing their business-critical missions, and delivering the expected ROI to the business.
- Manually update and manage the devices: for most organization with IoT devices, the scale of devices prevents this from being a viable option.
- Automated IoT vulnerability remediation through firmware updates/patching, certificate management, and password policy enforcement.