IoT Devices and Security Concerns

Overview

• Local Networks: Many devices connected, often hardware devices without access to OS.
• Examples: Air conditioning systems, clock-in/out devices.
• Security Risks: Connected devices are potential security risks.

Embedded Systems and IoT

• Devices at Home: Stoves, refrigerators, garage doors, front doors, and other IoT devices can pose security issues.
• Traditional Focus: Previously, security focused on devices we control (e.g., Windows laptop, tablets, mobile phones).
• IoT Impact: Many more devices connected; each presents a security concern.

Firmware and Updates

• Firmware: The OS running inside hardware devices.
  • Often unknown to users.
  • Managed by the manufacturer.
• Manufacturer Responsibility: Only they can update/patch firmware.
• Security Focus: Manufacturers might lack prioritization of IT security.

Case Study: Trane ComfortLink II Thermostats

• Security Vulnerabilities: Notified in April 2014.
• Patch Timeliness: First patch released in April 2015, second in January 2016.
• Comparison: Other OS (Windows, macOS, Linux) patch much quicker (usually within a month).

End-of-Life (EoL) and End-of-Service-Life (EoSL)

• EoL Notice: Indicates future halt in product sales.
  • Security patches might still be available for some time after EoL announcement.
• EoSL: No further security patches will be provided.
  • High-cost support options might exist, but not feasible for most customers.
• Action: Replace devices hitting EoSL to ensure continued security.

Legacy Devices in Organizations

• Legacy Devices: Old devices with potentially outdated OS, applications, or middleware.
• Risk Assessment: Weigh continuing use against security risks.

Mitigation Strategies

• Firewall Rules: Restrict access to legacy devices.
• IPS Signatures: Custom signatures for older OS.
• Path to Replacement: Develop a plan to replace while maintaining security.