CIA Breach Shows Lack of Security in IoT

The late-night talk show hosts did what they do best – poked fun at the latest news, in this particular case, the Wikileaks dump of CIA documents. Stephen Colbert lamented that he has multiple Samsung television sets in his home, the brand mentioned as a spying tool, and that the CIA must now have hours of footage of him searching for his lost remote. The joke got a good laugh, but it covered some very important information that the audience would have benefited from – the lack of security in the Internet of Things (IoT).

Let’s back up just a bit and talk about the CIA breach. According to eSecurity Planet, the leak is referred to as the Vault 7, and includes more than 8000 documents. The article also explained:

Recently, the CIA lost control of the majority of its hacking arsenal, including malware, viruses, Trojans, weaponized “zero-day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.

It’s a very serious blow to national security efforts, and once again highlighted how easily Wikileaks is able to cause damage to its targets, as well as those caught in the crossfire. I know a lot of political and legal concerns surround the leak, and I’m sure that information will get discussed a lot in the coming days and weeks. What I think won’t get discussed and has greater ramification to businesses and their employees and customers are the IoT security risks.

What was once considered high-quality, nation state-sponsored sophisticated malware, is now being proliferated by ‘everyday’ cyber criminals, Patrick Dennis, president and CEO of Guidance Software, said in an email comment, and it’s another indication that the industry needs to change and we need to bolster the security of IoT devices.

Andrew McDonnell, president at AsTech, echoed that thought, telling me in an email statement:

Many of the vulnerabilities cited in this tool set are well-known. ‘Smart’ TVs, old Android phones (like the President’s), unpatched routers, and a host of other devices have known vulnerabilities that are not exclusive to the CIA. If genuine, there are likely some proprietary vulnerabilities or zero-days in there. Ultimately, secret backdoors in software – whether intentional or based on an exploit – make everyone less safe: There’s no way to control who uses them.

The time has long since passed for IoT devices to enable security functions like patches, better credentials and app control because, James Maude, senior security engineer at global endpoint security firm Avecto, told me via email:

With devices such as these connected to corporate networks, it is really important to focus on securing other endpoints as much as possible to limit lateral movement and segregate the environment where possible.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba