Case Study

IoT: Unsecured IoT devices used for data exfiltration

Attacker Objective: Use unsecured IoT devices to gain access to network

Threat Type: Exfiltrating Data using IoT Devices

An oil and gas facility had two high-tech exercise bicycles that were connected to the internet and communicating through insecure methods. These were not segmented from corporate IT resources and thus presented the attacker with a network path to the organization’s critical assets.

Awake identified that the two exercise bikes were sending unencrypted HTTP traffic to the internet, and used basic authentication (a weak authentication method that exposes the username and password). Both machines were sitting on the corporate network and exfiltrating data out to the internet. Additionally, they appeared to be unpatched, leaving the facility wide open to attack.

The firm’s IT and security teams were completely unaware of these devices being on the network since existing security and configuration management tools were blind to these unmanaged IoT devices.

Awake automatically looks for weak and insecure authentication mechanisms, the use of clear text credentials, and for sensitive data leaving the network. These activities triggered an adversarial model in the Awake Security Platform which alerted the security team about the insecure IoT devices.

Download Case Study