Microsoft's Security Response Center has issued a bunch of recommendations for orgs to protect against nation-state network intrusion via insecure IoT devices.
A report by the Windows giant's security unit describes three incidents earlier this year, where a VoIP phone, an office printer and a video decoder were compromised. In two cases the manufacturer's default password was unchanged and the third was not patched with the latest security update.
Once access was gained, scripts were used to sniff network traffic, enumerate administrative groups, and look for other insecure devices, under the direction of an external command-and-control server.
Microsoft attributed the attacks to a nation-state group it calls STRONTIUM, which largely targets governments, IT, military, defence and engineering organisations – as well as anti-doping agencies, political groups, and the hospitality industry. The company said it has reported nearly 1,400 STRONTIUM notifications to customers over the last 12 months, though some of these were reports of targeting rather than actual compromise.
Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and bracesREAD MORE
"It's easy to see the need for better enterprise management," said Microsoft, which has come up with 12 actions for securing IoT devices. These include device approval, avoiding internet exposure, using a separate network if feasible, conducting patch audits, monitoring for suspicious activity ("e.g. a printer browsing sharepoint sites"), and including security requirements in contracts with third parties.
Some blame for this kind of vulnerability must fall on the device manufacturers. There is no need for devices to have a default password that is the same everywhere, for example. Another issue is that there is often no built-in mechanism for detecting when a security update is required and then applying it.
Customers may still think of devices like printers and phones as appliances, there to do one job only, rather than as computers on the network that need securing. If that attitude persists, we can expect many more intrusion reports. ®