IoT devices are hackable in under three minutes, researchers warn

ForeScout's IoT Enterprise Risk Report revealed major security flaws in common devices that, once attacked, are difficult to repair.
By Jessica Davis
03:39 PM

Internet-of-Things devices lack some of the most basic cybersecurity protocols. As a result, these devices can be weaponized en masse – and in as little as three minutes.

Not only that, ForeScout researchers revealed in the security firm's recent IoT Enterprise Risk Report, but once compromised, these devices are nearly impossible to repair. Many have to return the device to the manufacturer to be reformatted.

The bottom line: These devices are incredibly easy to compromise and hard to make right again after attack, according to ForeScout Chief Strategy Officer Pedro Abreu.

Further, some of these same devices operate with out-of-date firmware, the result of which creates a backdoor for these hackers to gain entry and launch an automated DDoS attack with an IoT botnet.

[Also: Dyn down: Major East Coast cyberattack brings down Twitter, Netflix, Spotify and others]

And it's no longer just a hypothesis. The results of poor IoT security was seen in last week's DYN attack, which rendered some of the largest websites inaccessible. The point of entry? An IoT botnet simultaneously directed from 10 of millions of IP addresses.

This has huge implications for the healthcare industry.

"IoT is the new frontier of attack where we're going to start seeing a rapid increase in these attacks," Abreu said. "Healthcare organizations have been very focused on protecting traditional IT, spending millions of dollars to secure its systems. But it leaves an open door with IoT devices – although it's meant to be a secure system."

Although these devices may appear insignificant in terms of security, Abreu explained, there are many ways hackers can use IoT to gain access to networks, entire systems - and even patient records.

"What people don't realize is that underneath medical devices are mini computers with a lot of capabilities," Abreu said.

Attackers break into the device - not to steal information - but to use it as a point of control, Abreu warned. Hackers believe that if they can control the pump, there's no reason to stop probing to see where other vulnerabilities hide.

Cybercriminals freely navigate the network from the point of entry and continue to hide in a system or use the IoT to leverage an attack.

[Also: Massive DDoS attack harnesses 145,000 hacked IoT devices]

To make matters worse, according to CynergisTek cofounder and CEO Mac McMillan, 30 percent of hospital resources are outsourced to vendors. And if that vendor is hit by a DDoS attack, the hospital can lose access.

"When you have these IoT attacks, not only can it disrupt services and access to information, if those devices are connected to the hospital network, there's nothing to say they can't focus on hospitals and create a DDoS," McMillan said.

The massive recent IoT-based attack on the Dyn cloud company came as no surprise to security researchers. McMillan said that researchers have known IoT and medical devices aren't secure. Further, hackers have discovered effective malware to attack devices, commandeer them and group them together to 'essentially create a supercomputer.'

"These vulnerabilities will continue to be exposed," Abreu said. "We need to change how we do security. If organizations don't know what is connected to its network, it can't be protected."

"You need to be able to control the device and what it has access to within the environment to limit the threat," Abreu said. "We're trying to motivate companies on how approach things differently in those new world."

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.