Bring your own threat - supply chain attacks using personal IoT devices in companies presented at SupplyChainCybersecuritySummit 2019

by Martin Hron,

Summary : According to statistics, 35% of IT Directors report more than 1,000 pieces of shadow IoT on their networks daily, 39% said they used personal devices connected to the enterprise network. Most popular devices were fitness, digital assistants and smart kitchen devices. Every single day we hear how consumer IoT is weak and in its infancy, still, according to the statistics, these devices are commonly allowed to join computer networks of many small, medium and big companies. What could go wrong? If we talk of software supply chain attacks, the situation is somewhat easier, but what about all those IoT devices, we don't really have insight into? How easy is it to infiltrate enterprise network using off the shelf commodity IoT? We'll present a proof of concept (live demo) of how this could theoretically happen. Using a simple camera with modified-firmware attacker may start the attack from the inside out which gradually leads to getting access into the network infecting acoffee maker, modifying router settings, and in the end deploying ransomware, rendering the whole network inoperable. In conclusion, we'll discuss possible attack vectors and solutions to this problem.