Blog Post

Aye Aye IoT: Spotting IoT Security Threats

As we continue to deploy our Advanced Network Traffic Analysis platform in both large and small customer environments, one thing that always amazes both the customer and me is the absolutely stunning number and variety of unmanaged devices — specifically, IoT devices — present in production environments. Awake’s platform allows analysts to quickly and easily identify a number of device types using built-in skills, of which IoT is one:

This skill takes advantage of a number of attributes about a device, such as which types of applications have — or have not — been associated with the device. Some of these behaviors can be hard to track and report on; well unless you have the Awake Security Platform that is :). In fact, the skills can be customized to be coarse- or fine-grained. As an example, it would be simple to create a very specific skill that identifies Philips Hue smart light bulbs, and it would be similarly easy to create a very generic skill that identifies all unmanaged devices.

Enterprise networks always have dozens of printers, cameras, and smart assistants — things which are big and obvious to see — but I often come across devices that are much more inconspicuous. A recent example of these devices is called a Beaglebone. Looking at their website, it’s very clear how powerful and small these systems are:

In our platform, the device (which matched our IoT skill) appeared as such:

In this particular network, which was a utility company, it struck me as surprising to see this kind of device. Moreover, the fact that only one of these devices existed in the entire network was quite suspect as well. A quick analysis found that it was actually accessible internally via SSH, which seems to require additional setup. Because these devices are so small, it’s extremely easy for someone to sneak it in, hide it under a desk, connect it to the network, and perform covert actions. In fact, we intentionally did this internally with a USB keylogger earlier this year and then captured keystrokes as you can see below:

The deceptiveness of these kinds of devices was also a test case in this summer’s network traffic analysis independent testing conducted by The Tolly Group, where two of three similar Raspberry Pi devices within a high-tech customer network were performing as expected, while the third one continually leaked photos of its environment out to the cloud:

While these are just a few of the many examples of unmanaged IoT devices on the network I’ve come across in 2019, they serve as great reminders that understanding an enterprise’s true attack surface is far more complicated than simply surveying the laptops, desktops, and servers in your inventory. Moreover, endpoint technologies — while crucial for many functions in a SOC — do not provide anywhere near the complete picture. Complementing Endpoint Detection & Response (EDR) with Network Traffic Analysis (NTA) or Network Detection & Response (NDR) allows for much more complete visibility. After all, the truth is in the network!

David Pearson
David Pearson

Principal Threat Researcher