The coming “Internet of Things” has been a buzzword for several years, and is fast approaching reality. Nowadays everything from refrigerators to light bulbs to traffic lights to vehicles to medical devices
When people first started connecting “things” to the internet, they take the easy route and just connect these devices to their existing network – a home wireless network, an existing medical clinic or hospital network, or the network already in place at their small business location.
While this is all fine and dandy, it opens up a huge potential risk in any network. Why? Because most “things” connected to the internet have static software that isn’t regularly updated and patched. Your smart door lock or lightbulb most likely does not get regular updates and software patches. Not a big deal you say? Well, yes it can be a really big deal. Why? Because that device is a node on your network and can be hacked just like your phone or desktop computer. Better yet, the hacker can then control that device with almost zero chance of getting caught.
But who cares if a hacker controls my light bulb? Well, it isn’t the light you are worried about. More importantly, your light bulb can become a “zombie” on a remotely controlled botnet and can be used to hack into higher value targets. It can also be used to attack YOUR higher value targets, such as sniff your network for unencrypted passwords or bank information or even medical records. And since the device is “headless” – i.e., no monitor – it becomes very difficult for the average person to detect that their
In fact, I have seen devices such as CT’s, MRI’s, ultrasounds, infusion pumps and even drug dispensing robots connected to open networks with almost zero protections. Some of these devices have been in operation for a decade or longer with zero software patches or updates or even anti-virus software installed. In fact, hospitals and medical
Imagine a hacker walking into a hospital and when a nurse or attendant is not looking, slipping a USB thumb drive into an empty USB port on the back of a computer. This most likely wouldn’t be noticed but could potentially open up your secure network to the outside world. The thumb drive could run software that ran in the background and went to a hidden web site to download trojan horse software, which could then infiltrate your entire network and start gathering patient information or worse yet, give control of dangerous equipment such as an MRI or CT to the hacker. It wouldn’t take much for a hacker to reprogram a CT to increase the radiation emitted to very dangerous levels.
Because of these unprotected and unpatched devices on this “internet of things”, this network, in my opinion, can easily become the “internet of terror”.
How do you protect your Internet of Things?
How can you protect your light bulbs, door locks, and even medical devices? Unfortunately in most cases you are not able to patch and update this equipment since often you won’t have direct access to the operating system controlling these devices. In the case of medical equipment, the upgrade process is controlled by the manufacture and the Food and Drug Administration (FDA) restricts the ability of the manufacturer to distribute updates without extensive prior testing. In the case of a device like a light bulb or door lock, it may not have direct access to the internet or even a browser, so it cannot “go get” an update – yet it can still be hacked by a nefarious hacker.
There are a variety of ways you can protect your “Internet of Things”. There is no single defense or solution to protecting your devices. Instead you need to take a multi-layered approach to stop hacker attacks. The most important and the subject of this article is to set up VLAN’s for your IoT devices.
Create VLAN’s for your Internet of Things (IoT)
My first recommendation is to create a VLAN for your various IoT devices. In a complex environment such as a hospital, you may want multiple VLAN’s – one for medical imaging equipment, one for your phone system, one for your security system, door locks, etc. These VLAN’s should then go through some type of firewall that allows you to isolate traffic and monitor the traffic going in and out of the VLAN. This way you can block unwanted traffic, set up alarms for unusual traffic, and better control what goes into and out of each VLAN.
For smaller and less complex networks, you may just want just one IoT VLAN. For example, you could make an IoT VLAN for your security system and keep it isolated from your company data. This way if a hacker was able to penetrate your less secure IoT VLAN, they would still have difficulty reaching your sensitive customer data.