Using a smart building as their case study, Forescout Research Labs investigated how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect. Key findings from our research include:
• How the IoT is impacting the organizational threat landscape
• The additional risks that IoT devices introduce
• How to evolve your cybersecurity strategy for the age of IoT
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Transforming Smart Building Cybersecurity Strategy for the Age of IoT
1. RISE OF THE MACHINES
Transforming
Cybersecurity
Strategy for the
Age of IoT
This report from the Forescout
Research Team explores how IoT
devices can be leveraged by attackers
in a building’s network, where legacy
OT assets, IT systems and IoT devices all
intersect.
2. 2
[1]
ABI Research, Internet of Everything Market Tracker, QTR 3, 2018
[2]
M. Hung, “Leading the IoT: Gartner Insights on How to Lead in a Connected World,” Gartner, 2017. [Online]. Available: https://www.gartner.com/imagesrv/books/iot/iotEbook_
digital.pdf
2
New Risks from IoT Devices
The number of IoT devices in organizational networks is rapidly increasing. These devices
are mostly unmanaged, come from a multitude of vendors, use non-standard operating
systems, support a diversity of (often insecure) protocols and may dynamically connect to
other devices inside or outside the organization’s network.
The IoT has already experienced
significant growth in the past
decade and is expected to reach
more than
30 billion
connected devices by 2022[1]
BY 2020, more than
25%
of identified attacks in
enterprises will involve
the IoT [2]
3. 3
The Internet of Things (IoT) in a Smart Building
Consumer-grade IoT devices are entering, and reshaping, the building
automation industry. Below is an illustration of IoT devices found within a typical smart
building network and how these systems communicate with one another.
Workstations IoT Platform Building Management
Workstations
VIDEO
SURVEILLANCE
SYSTEM
ACCESS CONTROL
SYSTEM
SMART LIGHTING
SYSTEMIoT SYSTEM HVAC SYSTEM
IP Camera Building Controller Building Controller Lighting Bridge
Smart
TV
IoT
Gateway
IoT
Gateway
NVR
Wearable Medical
Device
Smart Plug Sensor
Display
Badge
Reader
Door
Lock
Thermostat Fan Smart Light Motion
Sensor
Network Switch
TYPICAL SMART BUILDING NETWORK
4. 4
Smart Buildings: Where OT, IT and IoT All Intersect
To better understand the current risk landscape for smart buildings and its implications,
the Forescout Research Team investigated how video surveillance systems (VSS),
smart lighting systems, and other IoT devices could be used by cyber criminals to
infiltrate a building network.
Video Surveillance
System (VSS)
Smart Lighting
System
IoT
System
5. Key Findings
How the IoT impacts the
cybersecurity landscape for today’s
organizations, focusing on the
interplay between IoT and legacy
OT devices
The abuse of a smart building
network by exploiting vulnerabilities
in a VSS, Philips Hue and the MQTT
protocol in a lab setting
Specific security challenges from
the vulnerabilities in devices like
video surveillance systems (VSS),
smart lighting systems and
IoT systems
What organizations can do to
reduce risk and better protect their
enterprise networks in the
age of IoT
5
6. 6
Security Challenges of IoT Devices
IoT systems, including devices, gateways, and platforms, are notoriously vulnerable
to cyberattacks. Attacks against these systems could include:
• Exploitation of default or weak credentials: This is notoriously common and simple way for a
hacker to gain access to a device or network.
• Web application and API attacks: This category encompasses methods like database
and command injections, directory traversal, and cross-site scripting. These represent the
low-hanging fruit for an attacker targeting an IoT device and can be performed in a semi-
automatic fashion using available open source tools.
• Lower-level exploits: This method targets firmware using tactics like a buffer overflow or
memory corruption issues to disable the device or allow arbitrary code execution.
• Protocol-based attacks: Attackers can use these to exploit vulnerabilities like the lack of
authentication, encryption, and integrity validation to sniff and exfiltrate or tamper with
sensitive data. [1]
[1] Forescout, Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT, 2019: https://www.forescout.com/places-in-network/building-automation-system-bas/trans-
forming-cybersecurity-strategy-for-the-iot/
7. 7
3 Simple Strategies to Tear Down a
Building Network
To demonstrate how an attacker would exploit vulnerabilities to enter a smart building
network using IoT devices, the Forescout team’s lab setup included three systems,
video surveillance, smart lighting, and an IoT system.
Network Switch
AttackerInternet
SMART LIGHTING
SYSTEMIoT SYSTEM
VIDEO SURVEILLANCE
SYSTEM
IP Camera
IP Camera
IP Camera
IoT
Gateway
Lighting Bridge
Smart
Light
Motion
Sensor
Smart
Light
LAB SETUP
8. 8
Strategy 1: Video Surveillance Systems
The precursors of modern video surveillance systems (VSS) were closed-circuit television
(CCTV) systems that use analog signals and coax cables to communicate in a closed
network. As technology advanced, digital cameras supporting IP communication were
integrated into VSSs. Today, many buildings have a hybrid VSS architecture that is quite
complex, containing a variety of legacy and new systems.
Switches /
Routers
Analog CameraI P Camera
(with VMS)
Video
Encoder
DVR NVR
IP Camera
(with VMS)
Analog Camera
Analog Camera
Analog Camera
Analog Camera
IP Camera
IP Camera
IP CameraVideo
Decoder
MonitorL ocal Server Local
Monitoring PC
Remote
Monitoring PC
Remote Server
Internet
9. 9
Video Surveillance Systems: The Protocols
RTSP RTP
9
• Real-time Transport Protocol, usually
over UDP
• Designed for real-time transfer of audio
and video data
• Unidirectional from server (camera) to
client (NVR)
• Secure version SRTP available, but
rarely used
• Real Time Streaming Protocol,
usually over TCP
• Very similar to HTTP
• Designed to control stream parameters,
not deliver the data
• RTSP communication mandatory before
starting to stream
10. 1010
Video Surveillance Systems: The Vulnerabilities
Some of the vulnerabilities found in many VSS commonly used in
large organizations were:
Use of unencrypted video
streams via RTP/RTSP
Unwanted communication
links between the IT network
and the VSS caused by
firewall misconfiguration
Unwanted services and
insecure protocols enabled,
including FTP and UPnP
Weak passwords to access
IP cameras
Vulnerable cameras [1]
[1] Forescout, Rise of the Machines: Transforming Cybersecurity Strategy for the Age of IoT, 2019: https://www.forescout.com/places-in-network/building-automation-system-bas/
transforming-cybersecurity-strategy-for-the-iot/
11. 11
Video Surveillance Systems: The Attacks
Assuming a man-in-the-middle attacker (an attacker inside the network that can
sniff and, when necessary, modify packets), the Forescout team successfully carried
out two attacks: denial of service and footage replay.
Denial of service Footage replayLAB
12. 12
Anatomy of the Footage Replay Attack
1. Establish a man in the middle
2. Eavesdrop the traffic and record the video footage
3. Replace RTSP command <get param> with <teardown>
4. Replay the pre-captured stream to the NVR
13. 13
Strategy 2: Smart Lighting
Smart lighting systems are connected to a network, which allows them to be
monitored and controlled from a central system or via the cloud. For this experiment,
the Forescout Research Team used a Philips Hue.
Wi-Fi Network
ZigBee Network
Philip Hue System
Wi-Fi Router
Hue Bridge
Smart Light Motion SensorSmart Light
14. 14
Smart Lighting: The Vulnerabilities
• The Philips Hue uses a dedicated
bridge device that connects all lights
on its own network.
• In order to work with remote systems,
the bridge must be connected to a Wi-Fi
router, providing a potential network
entry point for a malicious actor.
Wi-Fi Network
ZigBee Network
Philip Hue System
Wi-Fi Router
Hue Bridge
Smart Light Motion SensorSmart Light
15. 15
Attacking The Philips Hue
The Philips Hue supports an API that allows a user to interact with a bridge,
and therefore the lights, using RESTful HTTP requests. [1]
Using this API, the Forescout team devised and implemented two types of attacks
with a physical consequence: denial of service by switching off the lights and a
platform reconfiguration.
[1] PenTestPartners, “Hijacking Philips Hue,” [Online]. Available: https://www.pentestpartners.com/security-blog/hijacking-philips-hue/.
Denial of service Platform
reconfiguration
LAB
16. 16
Anatomy of the Attacks
1. Sniff a valid API token transmitted in cleartext HTTP
2. Send an HTTP PUT request with the sniffed token and the “off” command:
PUT http://<bridge_addr>/api/<token>/lights/<number>/state {“on”:false}
3. Automate the request above via script for lights continuously off
4. Optional: use the same valid token to reconfigure the platform and use it
as an entry point into the network:
PUT http://<bridge_addr>/api/<token>/config {“ipaddress”:<ip_addr>,
“dhcp”:false, “netmask”:<netmask>, “gateway”:<gtw>}
17. 17
Strategy 3: IoT System
When planning their attack on the IoT system, the Forescout Research Team decided to
focus on the messaging (application) layer, specifically on the most widely used protocol
in IoT systems, MQTT. [1]
Publisher
Publisher
MQTT
Broker
Subscriber
Subscriber
MQTT
[1] Eclipse IoT Working Group, AGILE IoT, IEEE, and Open Mobile Alliance, “IoT Developer Survey 2018,” 2018. [Online]. Available: https://iot.eclipse.org/resources/iot-developer-survey/
iot-developer-survey-2018.pdf.
18. 1818
The Vulnerabilities: MQTT
• MQTT is an M2M connectivity protocol, designed to be
lightweight, and is therefore unencrypted.
• Because of this, it’s highly recommended to use an encrypted
transport layer security (TLS) stream on MQTT communications,
since unencrypted traffic may disclose sensitive information,
including topics, values of data points or even credentials.
• However, there are thousands of MQTT servers not using TLS,
disclosing sensitive information, as well as allowing remote
control, to any client who remotely subscribes to a topic. [1] [2]
[1] V. Pasknel, “Hacking the IoT with MQTT,” 2017. [Online]. Available: https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b.
[2] M. Hron, “Are smart homes vulnerable to hacking?,” Avast, 2018. [Online]. Available: https://blog.avast.com/mqtt-vulnerabilities-hacking-smart-homes.
19. 19
Exploiting MQTT
Like the attacks on the video surveillance system, for the case of the IoT system, the
Forescout Research Team leveraged a protocol (MQTT), rather than specific devices.
Using this method, they devised and implemented two types of attacks:
information gathering and denial of service.
Information
gathering
Denial of serviceLAB
20. 20
MQTT: Anatomy of the Attacks
Information gathering: An attacker can gather information about the IoT network,
such as available assets and their location, configuration information or even
sensitive information like credentials by either passively sniffing traffic or
subscribing to interesting topics and receiving published messages.
Denial of service: An attacker can flood a broker with connection attempts or
heavy payloads, which can be amplified by requiring a higher Quality-of-Service
level in the protocol.
21. 21
CONCLUSION
In the age of IoT, legacy security solutions like endpoint agents, antivirus, and
traditional IT intrusion detection systems are not enough because either they are
unsupported by embedded devices or they are incapable of understanding the
network traffic generated by these devices.
Organizations need to implement solutions that empower them with fully automated
visibility and control across their entire enterprise.
Cybersecurity Strategy
Fully automated complete visibility
Operational
Technology
Campus
Data Center and Cloud
IoT
21
22. 2222
This presentation is a brief summary of an in-depth research report
detailing the growth of IoT, possible business risks and cybersecurity
strategy planning.
Download the “Rise of the Machines: Transforming
Cybersecurity Strategy for the Age of IoT” report from the Forescout
Research Team to learn more.
READ THE FULL REPORT
Still Curious?
23. 23
About the Researchers
Daniel dos Santos holds a PhD in computer science from the University of Trento and has experience in security consulting and
research. He is a researcher at Forescout, focusing on vulnerability research and the development of innovative features
for SilentDefense.
Mario Dagrada holds a PhD in computational physics from the University Pierre Marie Curie in Paris and has experience in high
performance software development, security and research. He is a researcher at Forescout, focusing on medical device security and
the development of innovative features for SilentDefense.
Michael Yeh holds a joint master’s degree in cybersecurity from the Technical University of Eindhoven and the Radboud University.
He worked as an intern at Forescout during the development of this research project.
Martín Pérez Rodríguez has studied Computer Science & Engineering at the Universidad Politécnica de Madrid and the Technical
University of Eindhoven. After his internship, he started working as a DevOps Engineer at Forescout.
Elisa Costante Elisa Costante holds a PhD in computer science from the Eindhoven University of Technology. She is an expert in IT and
OT security and privacy. As director of the Industrial and OT Innovation Technology at Forescout, she drives the execution of pioneering
theoretical and experimental work addressing the cyber security challenges posed by the IT/OT convergence. Her tasks include the
generation of original content to boost awareness and thought leadership and the identification, building and testing of prototypes
for innovative products and services in line with the overall product strategy.
24. 24
About Forescout
Connect with us
Forescout Technologies is the leader in device visibility and control.
Our unified security platform enables enterprises and government
agencies to gain complete situational awareness of their extended
enterprise environments and orchestrate actions to reduce cyber and
operational risk. Forescout products deploy quickly with agentless,
real-time discovery and classification, as well as continuous
posture assessment.
www.forescout.com @Forescout Forescout Technologies