IoT Is a Potential Hacker-Fest

Everyone, everywhere is talking about the so-called Internet of Things (IoT). And, every tech company is trying to find a way to claim their products are part of IoT, too. And, most of it is hype. Pure hype.

But, some of the companies that do have IoT things are being stupid. Why?

Security.

The Internet of Things is a hacker-fest.

Got an Amazon Dot in your home allowing you to instantly order something? It’s a hacker’s gateway without a lock. Adding digital signage to your campus — most digital media (yes, most) are a golden ticket for hackers. And, what about cloud-based control of AV gear? Hmmm, you be the judge.

The importance of security cannot be overstated — and it cannot be ignored. No one did a better job explaining this giant risk than rAVe Columnist, Raymond Kent, earlier this year with his The Risks of IoT column. If you haven’t read it, go. And just last month, rAVe BlogSquad member Mark Coxon added this piece on the Art of Hacking AV Systems, detailing what happened at the recent DEFCON Hacking Conference.

So, how much research are you doing when you spec that AV product you’re connecting to the internet – to the network? Are you assuming, like most of us are, that the manufacturer making the product is dealing with it security in a way that makes their IoT device not a hacker-fest party? Or, are you taking responsibility for say product and dealing with security on your own?

As we move closer and closer to all-IP all-the-time, we need to get educated — realize that we are also responsible for what we install and get educated on network security.

As a primer, you should consider three factors with the device you are connecting to the IT network — remember, you, as an integrator of the system, are responsible for its security in many cases — or, at the very least, may be responsible for what it can and can’t do:

1. Is the device 802.1x certified? From Wikipedia: “802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wants to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware. The authenticator acts like a security guard to a protected network.”

See also  Cybersecurity and the Problem with OEMs

2. Is the device you are connecting capable of Active Directory (AD)? From Wikipedia: “Active Directory is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services. A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active_Directory_Federation_Services, Lightweight Directory Services and Rights Management Services.”

3. Is the drive SRTP certified? From Wikipedia: “The Secure Real-time Transport Protocol (SRTP) is a Real-time Transport Protocol (RTP) profile, intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications. It was developed by a small team of Internet Protocol and cryptographic experts from Cisco and Ericsson. It was first published by the IETF in March 2004 as RFC 3711. Since RTP is closely related to RTP Control Protocol (RTCP) which can be used to control the RTP session, SRTP also has a sister protocol, called Secure RTCP (SRTCP); SRTCP securely provides the same features to RTCP, as the ones provided by SRTP to RTP. SRTP and SRTCP use Advanced Encryption Standard (AES) as the default cipher. There are two cipher modes defined which allow the AES block cipher to be used as a stream cipher.”

Like I mentioned earlier, as we move towards moving everything across the IT network with the impending AV-over-IP movement, we need to get educated on where our devices are at risk.