UNWIRED: Understanding the Unforeseen Risks in Evolving Communication Channels

Key takeaways

• This article emphasizes the growing strategic risks linked to the increasing number of natively connected internet of things (IoT) devices, which allow attackers to exploit visibility gaps and side channels.
• CISOs need to factor in these challenges for risk modeling, security measures, and vulnerability patching, requiring organizations to update their security models to address evolving security threats.
• Various technologies allow unexpected connectivity and side channels for attackers, presenting security challenges for indoor and outdoor IoT devices.
• The increasing use of IoT devices raises concerns about privacy, threats to critical infrastructure, and cybersecurity risks for businesses, governments, and individuals.

Introduction

Download the Primer (PDF)

This paper looks into the strategic risks that demand immediate attention within organizations. We are witnessing a growth of natively connected internet of things (IoT) devices operating outside traditional cybersecurity controls. Understanding these changes is crucial, as they open up opportunities for attackers to exploit visibility gaps and side channels that most organizations are currently unable to monitor.

Today, cybercriminals and state-sponsored groups are exploiting the security limitations and increased connectivity of IoT devices. Attackers use operational relay box (ORB) networks and eternal botnets as part of an ongoing paradigm shift, which has had a similar impact to the change in tools, tactics and procedures (TTPs) from the transition to living off the land (LOTL) attacks in recent years.

This paradigm shift has even more significant consequences; it leads to unexpected connectivity in areas where security models expect no connectivity. While these risks are well understood in government security models, many organizations overlook the attack surface in their security models. This situation creates a dangerous gap that skilled attackers can exploit, underscoring the urgent need for organizations to reassess their security models and measures — a crucial step in mitigating these risks.

The Expanding Threat Landscape

The attacker’s perspective

Mature attackers have their own threat and risk models and possess knowledge of the trade off between cost of attack and profits. With the increasing use and size of IoT devices being deployed, these devices have a greater presence within targeted organizations, making them more susceptible to potential attacks. This presents several attractive benefits:

• Such equipment supports specific protocols (for example, Z-Wave, IoB and BACnet), often outside the scope of cybersecurity vendors or organizational risk models.
• Security vendors increasingly need enhanced visibility and capabilities to secure IoT endpoints, given their proprietary architectures, hardware and software, and limited storage, memory, and CPU.
• IoT equipment has limited vulnerability patching and forensic capabilities.

Including IoT equipment in threat and risk models is of the utmost importance, as it can be exploited. For example, video-conferencing equipment, often placed in secure environments, frequently lacks two-factor authentication (2FA) to verify users' identities. Water and electricity meters and humidity and temperature sensors, now standard in modern buildings, bring connectivity capabilities, protocols, and security challenges. This comprehensive approach to risk assessment is not just important but crucial in the face of evolving security threats.

A hacker's playground

Several significant and increasingly deployed technologies can unexpectedly provide connectivity and side channels that attackers can leverage:

• Nearby devices like Apple's AirTag and Google Find My Device allow potential stealthy data transfer through unsecured networks. This is illustrated in this example, where it was found that it's possible to upload arbitrary data from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices.
• Laptops and industrial PCs with built-in eSIMs facilitate seamless cellular network access, supported natively by operating systems like Microsoft Windows 10 and 11. These can provide connectivity through channels like SMS, which are often unmonitored.
• Transparent roaming and simplified transition between wireless, cellular and satellite networks can provide connectivity even in rural areas.
• Turning wired connections into wireless ones, known as Wi-Fi bridging, is common in the automotive and industrial sectors.
• Coverage of globally distributed wireless hotspots has expanded in urban areas.
• Multi-Radio Access Technology enables users to seamlessly access and transmit various wireless technologies and is already integrated into 5G networks.
• Interacting with the cloud is a default capability that increases the number of IoT devices that require direct or indirect internet connectivity. These devices can act as data buffers, delivering information to the cloud when connectivity is available.
• New architectures and protocols affect traditional threat detection and response by using non-TCP/IP stack-based networks or protocols lacking security support.

Global IoT risks

Today, wireless connectivity is the default for many types of IoT devices, such as PCs and laptops. With the increased absence of Ethernet ports and the expected 9.4% annual growth of cellular-enabled notebook shipments, it’s clear that most devices will soon come with wireless or cellular support as a standard feature. In highly secure environments, equipment should either have dedicated customized supply chains or be able to accept devices that come with wireless and cellular capabilities by default. However, outside such environments, the need for better visibility and control in detecting and mitigating attacks on IoT devices is a concerning reality.

The increasing presence of various types of “unblockable IoT equipment” is not just a trend; it's becoming a major concern. With their ability to gather and wirelessly send out telemetry data from medical sensors and body implants, these devices significantly increase an organization's potential points of attack. Moreover, these organizations often struggle to effectively detect and manage the growing number of such devices. As concepts like smart cities and smart roads, which rely on IoT technology, continue to expand, the need for connectivity drives us toward a state where IoT growth is inevitable.

Many of these new devices also need proprietary protocols and communication channels that aren't controlled by IT. As a result, these devices are difficult to monitor or control using traditional IT security measures. This lack of visibility and capabilities makes it hard to detect, trace, and stop attacks in this area.

The rise of unexpected connectivity

Understanding the diverse connectivity landscape, which malicious entities can exploit in unforeseen ways, is critical. It varies across equipment classes and technologies, with some being more prevalent indoors or outdoors and others bridging that gap. For example:

• Apple's Find My, Google Find My Device, and Samsung's SmartThings Find networks are services that help users locate their lost or stolen mobile devices. These services pinpoint a device's location and can also remotely lock or erase it.
• Low Earth Orbit (LEO) satellite networks (such as Starlink) are reshaping internet connectivity coverage.
• The internet-of-batteries concept requires connectivity and battery data to be connected to the cloud.
• Devices mandated by government regulations to respond in emergencies, like in-car eCall systems or fire alarm notification equipment, can include obligatory capabilities to connect to nearby networks to transfer signals.

Cellular-capable laptops, internet of medical things (IoMT) devices, and interconnected smart buildings provide indoor connectivity through sensors and climate and access controllers.

Outdoor connectivity is mainly found near smart roads, smart city infrastructure, connected cars, intelligent mobility equipment, logistics drones, and robots. In rural areas, a skilled attacker could target connected agricultural devices and a wide range of interconnected sensors for climate, weather, pollution, and disaster notification infrastructure.

Stages of an IoT Attack

At different stages, attackers can take advantage of the stealthy nature of the 'unexpected connectivity' scenarios described above, increasing the urgency of the threat.

• Recon/Preparation. IoT sensors can collect critical information about a specific environment, potentially disrupting normal operations. For example, these sensors can gather data from sensors inside smart buildings to predict the timing of critical meetings in specific rooms or areas.
• Access. Common unsecured office equipment such as air conditioners, displays, panels, tablets, interactive screens, and intercom systems could provide attackers with access to sensitive networks or bring them into proximity of high-value targets.
• Post-Exploitation. Attackers can establish an unexpected command and control channel by activating compromised eSIM profiles of devices or using machines that have preloaded profiles for specific Wi-Fi networks. Using default IoT equipment connectivity settings, such as the pre-defined Wi-Fi service set identifier (SSID) used during initial setup, can provide attackers with bi-directional connectivity access. Attackers can also create secret communication channels by adjusting the settings and telemetry of IoT sensors. This can involve changing sensor names for outbound data transfer, manipulating sensor input data, and extracting embedded signals from wireless transmissions beyond the secure perimeter.
• Exfiltration. The use and simulation of devices such as Apple AirTag, Find My, and similar network protocols, as well as integrating smart buildings, smart roads, or cloud-connected IoT devices, can facilitate data exfiltration for attackers. Some devices, such as smartwatches or medical sensors, can serve as an initial buffer, gathering information within the targeted environment before transmitting it beyond the security perimeter.
• Ad-hoc connectivity. It is also important to consider sporadic online/autonomous burst synchronizations. Public transport and taxis often have Wi-Fi connectivity. They can pass or stop near the target facility, providing short-lived connectivity with known network IDs or credentials. An additional benefit is that a taxi can be ordered to stop and wait at a specific location.
• Power manipulation. Alternative attack scenarios can provide unexpected power to warshipped equipment by leveraging technologies like Powercast. The degradation or disabling of autonomous power sources in sensors, IoT, and Edge devices can give attackers opportunities to gain physical access to target rooms by posing as experts tasked to “fix the equipment.”
• Telemetry Manipulation. Attacking sensors or tampering with telemetry from fire alarm sensors can lead to serious physical consequences. This can help attackers cover their tracks when targeting computers, servers, or data centers by triggering fire extinguishing systems.

The Expanding Attack Surface

Attackers’ increasing use of IoT devices to target highly secure environments can significantly impact TTPs. This shift in attack methods requires a more comprehensive use of living off the land techniques and exploiting IoT-specific tools, techniques, and procedures. Some of these TTPs are not easily detectable by IT security teams due to proprietary protocols, standards, and vendor-specific software. As a result, there is a decrease in visible indicators of compromise (IOCs). The presence of attack traces on equipment and infrastructures, which is beyond the control of the IT security team, makes it challenging to trace and mitigate attacks.

• For example, attackers may target cloud IoT admin accounts that are outside the control of the target organization, particularly if the target organization is renting or sharing office space with other organizations in the same building. Building management services usually manage necessary sensors and IoT devices, like HVAC systems, which may have wireless connections with the target's sensitive networks despite best practices calling for complete separation.
• The rapid development of IoT connectivity creates significant visibility gaps in current cybersecurity frameworks. These gaps appear as blind spots that gradually decrease the effectiveness of traditional security measures. This presents urgent challenges in protection, detection, mitigation, and post-incident investigation processes.
• Attackers may intentionally target hardware architectures with limited CPU capabilities, hindering the integration of significant security features while enabling certain malicious activities.
• Forensic evidence from attacks on IoT devices often disappears after a reboot cycle due to limited storage resources and firmware specifications, which restrict its availability.
• Due to non-standard routing protocols, many standard network forensics and tracing tools may not function properly or have limited capabilities to monitor these devices.

As IoT devices become more widespread, many of them have limited capabilities to implement security measures. These limitations include technical constraints, such as proprietary and closed architectures, as well as limited computational resources such as CPU power, memory, and storage. Factors like financial constraints, diverse device architectures, and the associated costs of supporting a wide range of software and firmware platforms pose significant challenges. This situation makes it hard to deploy traditional security agents on IoT devices, reducing the effectiveness of endpoint security solutions.

Given these limitations, it is expected that more attacks will be detected indirectly at the network level using anomaly and outlier detection as well as zero-trust approaches. This is increasingly necessary due to the limitations of endpoint security solutions. Some examples include rapid battery drainage of equipment, slowing down of equipment speed or network transmission, spikes in data volume transfer, or changes in the entropy of transferred data. In many cases, detection would only be visible after the attack has successfully occurred and the attacker has achieved their goals. A robust XDR-type solution incorporating zero-trust, network discovery, and attack surface risk management will be key to securing environments.

Impact on People, Governments, and Businesses

The increase in IoT devices has brought numerous benefits but has also introduced a wide range of cybersecurity risks. From personal privacy concerns to potential threats against critical infrastructure and sensitive government information, the IoT landscape presents a complex and evolving security challenge that must be carefully addressed. Let's explore these challenges in more detail.

• People:
  • The rapid growth of IoT environments, combined with big data and AI analysis, can reveal users’ personal habits and preferences, which raises significant privacy concerns.
  • Attackers can exploit sensor data access as part of cyber, cyber-physical, and cognitive attacks.
  • Attackers often target influential individuals for greater financial gain.
  • Attackers can misuse access to smartwatches to estimate the owner's health status and potential alcohol consumption by combining health readings with locations visited, making the owner vulnerable to potential blackmail scenarios.
  • Attackers can violate privacy by recording conversations using Amazon Alexa and other microphone-equipped devices.
  • Connected cars can also expose location and velocity data, as well as record audio and video inside and outside the vehicle.
• Businesses:
  • The ability to extract data and disrupt critical IoT-dependent business processes are significant but often overlooked risks
  • Attackers could use data from IoT sensors to reverse-engineer key technology and business processes, potentially resulting in intellectual property theft or sabotage.
  • The disruption of processes that rely on the IoT can have widespread effects on operational continuity and safety.
• Critical verticals:
  • Telemetry injection attacks on connected IoT sensors can be critical for industrial, energy, and raw materials-dependent verticals because they can affect the accessibility and integrity of physical systems.
  • Non-detachable and life-critical smart body sensors and implants could be used as buffer storage to exfiltrate and exchange information with highly secure, air-gapped networks.
  • In IT and communications, new situations may arise in the cyber-physical realm and have more significant effects than purely cyber-based operations. An example of such a situation could be a data center shutdown due to overheating caused by the manipulation of temperature sensors in the data center and flaws in the redundancy setup.
• Governments:
  • Governmental entities face even higher stakes, as critical infrastructure security and sensitive information confidentiality are crucial. The increased attack surface introduced by IoT devices in secure environments poses a significant risk. Secure government facilities will regularly have policies preventing cellphones, smart watches, or any devices that transmit and receive signals from such environments. However, this risk is sometimes overlooked in older security policies due to the emergence of new classes of connected devices.
• Cybersecurity companies:
  • The default connectivity in devices and the development of new hardware architectures with restricted computing resources will lead to significant blind spots and visibility gaps for cybersecurity products, tools, services, and procedures. This new environment has important implications because it increases the attack surface while limiting the ability to control, monitor, secure, or update this equipment, connectivity, or information exchange protocols.

Recommendations

It is crucial to increase awareness of the mentioned risks by expanding IoT connectivity, improving wireless coverage, and addressing associated visibility gaps. While governments have recognized these risks and taken steps to secure highly sensitive assets, commercial organizations have given less attention to this issue. Security requirements from the government sector can offer valuable insights and approaches to addressing this problem, which is increasingly relevant to various organizations and individuals. Implementing several steps can help minimize these risks:

• Improve the visibility and monitoring functions of IoT devices and wireless protocols, both controlled and uncontrolled, that can establish connections, interact with, or impact an organization's assets. This proactive strategy will help identify and address potential threats before they can cause harm.
• Always keep IOT devices as up to date with patches as possible. Where patching is not an option, consider placing a firewall or IPS (intrusion prevention system) device in the network domain of the IOT device to reduce the chance of successful devices.
• Adjust risk models to consider identified risks and the expanded attack surface to ensure organizations are prepared for potential threats.
• Implementing zero-trust principles for managing unexpected and spontaneous connectivity and ensuring global wireless coverage. This strategy guarantees that all assets, whether inside or outside the organization's network, are authenticated, authorized, and continuously validated.
• Develop comprehensive and robust incident response plans that address specified cases, risks, and potential attackers' expanded capabilities. These plans will ensure security and protection, preparing your organization to effectively respond to any security incident.
• Educate and train IT and security teams regularly on the latest IoT security risks and best practices. It's equally important to extend these awareness programs to all employees, empowering them to understand the security implications of IoT devices and the importance of adhering to organizational policies related to device usage and connectivity.
• Review additional established best practices on securing IOT/OT devices.

Conclusion

The evolving threat landscape of IoT and its widespread connectivity pose significant challenges to traditional cybersecurity models. The increasing integration of IoT devices in personal and commercial spheres expands the attack surface. Often equipped with proprietary protocols, these devices become prime targets due to their critical roles or usability. They are overtrusted due to their necessity of use and limited capabilities to secure them simultaneously.

Attackers can take advantage of the unexpected connectivity of IoT devices and limited visibility to bypass traditional security measures. This makes it difficult to detect and mitigate these attacks. As a result, it is important to reevaluate current cybersecurity strategies. It is crucial to emphasize the adoption of anomaly detection, zero-trust principles, and next-generation network security solutions to effectively manage the expanded attack surface.

Organizations, governments, and individuals must acknowledge the increased risks of IoT environments and broaden wireless coverage. To adapt, they must strengthen oversight, improve security protocols, and consider security implications during IoT's integration and deployment phases. This research seeks to offer further insights into addressing these new challenges.