SHARE



ABOUT THE AUTHOR


Andrew Prokop
Andrew Prokop has been heavily involved in the world of communications since the early 1980s. He holds five United States...
Read Full Bio >>
SHARE



Andrew Prokop | December 21, 2015 |

 
   

IoT: A Cause for Celebration and Precaution

IoT: A Cause for Celebration and Precaution While it’s not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected.

While it’s not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected.

Are you familiar with the Carna Botnet? If not, you really should be. Back in 2012, an anonymous hacker set out to "measure" the Internet in a survey entitled The Internet Census of 2012. Enlisting the Nmap Scripting Engine, every publically addressable IP address was scanned with the goal of finding just what was out there. More importantly, the census wanted to learn how many of those devices were unprotected. Sadly, it found a lot of them.

While quite a few of the discovered devices were consumer-grade, many were IPsec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment, and so on. Finding these enterprise devices was not surprising, but far too many were still configured to accept default login credentials such as root/root and admin/admin. Ultimately, approximately 420,000 unprotected devices were discovered and the hacker was able to load scanning code onto them that allowed him or her to essentially probe the entire Internet.

portable


Thankfully, the hacker's intentions were focused on research rather than harm, but discovering that many vulnerable devices is extremely alarming. If a so-called benevolent hacker can easily find and use them for fairly benign purposes, less scrupulous people will be next in line with far more nefarious intentions.

What Will You Find in Your Stocking

Christmas is just around the corner, and I expect that quite a few of us will receive one or more gifts that require an IP address. Personally, I am hoping for one of those wearable fitness devices. As a geek who likes to stay physically active, I could really get into electronically tracking my workouts, footsteps, and heartbeat.

Less health-minded folks are hoping Santa will bring Internet connected lightbulbs, TVs, or refrigerators. Opening up the latest Best Buy flier, I see page after page of affordable smart devices. From Wi-Fi cameras to Web-connected security alarms, we are awash in IoT (Internet of Things) appliances and toys.

The OpenDNS 2015 Internet of Things Enterprise Report categorizes the kinds of IoT devices prevalent today as follows:

  • Personal Electronics
    • Fitness
    • Toys
    • Gadgets
    • Other
  • Consumer Appliances
    • Large Appliances
    • Small Appliances
    • Entertainment
    • Other
  • Home / Office Automation
    • External Home / Office
    • Power Management
    • HVAC
    • Other
  • Security and Monitoring
    • Audio / Visual
    • Physical Locks
    • Alarm System
    • Environmental Monitors
    • Other
  • Platform
    • IoT Management Platforms
    • Other

While it's not hard to recognize the benefits that these new gadgets will bring to our lives, there is a dark side to having all these devices Internet-connected. Every on-line device is yet another place where personal information can be compromised and exploited. Each IP address is another access point hackers can and will attack.

Consider devices as seemingly innocuous as IoT garage doors, thermostats, and lighting systems. Left unsecured, these devices can be monitored to discover a homeowner's home and away patterns. Data from lighting systems can be used to plan break-ins and robberies will be facilitated by nefariously opening garage doors. Unprotected security systems can be turned off and surveillance cameras disabled.

Additionally, unsecure devices enable hackers to perform data mining and learn information that can be used to attack us elsewhere. That wearable health monitoring device I want to find under the Christmas tree will gather information about me that I am not inclined to share with strangers. Even more harm can occur with devices that actually control a person's health. For example, a drug dispensing system can be told to deliver incorrect dosages.

For those of you who feel I am being Chicken Little and shouting "The sky is falling," the FBI recently issued a public service announcement that warned of all these potential problems and issued the following defense recommendations:

  • Isolate IoT devices on their own protected networks.
  • Disable UPnP on routers.
  • Consider whether IoT devices are ideal for their intended purpose.
  • Purchase IoT devices from manufacturers with a track record of providing secure devices.
  • When available, update IoT devices with security patches.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Use current best practices when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
  • Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor.
  • Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.

While little of the above should be unfamiliar to No Jitter readers, it's unfortunate how many of the recommendations are not followed. Some of this is due to ignorance, but much is simply because folks are too lazy to do the necessary work to build secure configurations. While I am not sure which of the two is easier to fix, unless they are addressed, hackers will have a field day as IoT devices become commonplace.

Ho, Ho, Ho

I am the last person to play Grinch when it comes to new and exciting technologies, but I am the first to say that security should be factored into every new toy, gadget, and service. IoT will revolutionize our world, and it won't be too long before everything from toasters to electric shavers will have an IP address and connect to some form of network. Done properly, this is a wonderful thing. Done haphazardly and we are willingly inviting trouble into our lives.

In closing, I would like to quote the anonymous Carna Botnet hacker:

A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody," there are at least 1,000 people who did. Whenever you think "that shouldn't be on the Internet, but will probably be found a few times," it's there a few hundred thousand times. Like half a million printers, or a million Webcams, or devices that have root as a root password.

Enough said. Happy holidays, everyone!

Andrew Prokop writes about all things unified communications on his popular blog, SIP Adventures.

See Andrew Prokop at Enterprise Connect 2016, taking place March 7-10 at the Garlord Palms in Orlando, Fla. Register now to take advantage of reduced rates. Use the code NJPOST to receive $200 off the current conference price.

Follow Andrew Prokop on Twitter and LinkedIn!
@ajprokop
Andrew Prokop on LinkedIn





COMMENTS



August 16, 2017

Contact centers have long been at the leading edge of innovation in communications technology, given their promise of measurable ROI and the continual need to optimize customer interactions and sta

July 12, 2017

Enterprises have been migrating Unified Communications & Collaboration applications to datacenters - private clouds - for the past few years. With this move comes the opportunity to leverage da

May 31, 2017

In the days of old, people in suits used to meet at a boardroom table to update each other on their work. Including a remote colleague meant setting a conference phone on the table for in-person pa

August 16, 2017
World Vision U.S. is finding lots of goodness in RingCentral's cloud communications service, but as Randy Boyd, infrastructure architect at the global humanitarian nonprofit, tells us, he and his team....
August 11, 2017
Alicia Gee, director of unified communications at Sutter Physician Services, oversees the technical team supporting a 1,000-agent contact center running on Genesys PureConnect. She catches us up on th....
August 4, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, has lately been working on integrating enterprise communications into Internet of Things ecosystems. He shares examples and off....
July 27, 2017
Industry watcher Elka Popova, a Frost & Sullivan program director, shares her perspective on this acquisition, discussing Mitel's market positioning, why the move makes sense, and more.
July 14, 2017
Lantre Barr, founder and CEO of Blacc Spot Media, urges any enterprise that's been on the fence about integrating real-time communications into business workflows to jump off and get started. Tune and....
June 28, 2017
Communications expert Tsahi Levent-Levi, author of the popular BlogGeek.me blog, keeps a running tally and comprehensive overview of communications platform-as-a-service offerings in his "Choosing a W....
June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.