How Not To Be Seen — Check Your IoT Visibility
For my inaugural blog post, I want to show you how vulnerable your Internet of Things exposure can make you.
But first, about me: I’m one of four Distinguished Systems Engineers in Cisco’s US Public Sector organization and work with customers across the federal, state, local and education markets. The majority of my time is spent designing/building/analyzing architectures and the interactions across multiple technology disciplines (routing/switching, wireless, security, IoT etc.) within that architecture. I’m also lucky enough in my role at Cisco to participate in industry working groups like the Wi-Fi Alliance, where I currently serve as chair for the Security Marketing and Technical Task groups.
So how does your personal IoT exposure affect you and why should you care? Great question – it all has to do with simple analysis and correlation of information being broadcast out in the ether for everyone to consume. In this new age of constant connectivity, pervasive Wi-Fi, IoT and personally wearable devices, there is a wealth of personally identifiable information continuously being transmitted through all of a device’s interfaces: Bluetooth, wireless, Ethernet etc.). Chances are, you are giving away a lot more information than you know.
Federal employees are not immune to this kind of vulnerability, although there is a better chance that agency-issued devices will be set up to minimize the users’ exposure. But everyone can benefit from understanding the information I’m providing here.
First, let’s look at the reason why devices transmit this information: Ease of setup/onboarding and a focus on usability. In simpler terms, the developers were trying to solve two problems: How to connect two devices easily and how to make services discoverable once the device is on the network.
In order to connect two devices with Bluetooth (say your activity monitor and your smartphone), one or both of those devices must be discoverable. When I make a Bluetooth device discoverable, by default it transmits unencrypted:
- A friendly device name like “Bob’s-phone;”
- Services the device has enabled;
- Device unique identifier;
- Additional technical information about the device, such as its manufacturer, software version and battery level.
In order to establish the secure connection, all of this information has to be made available to all devices that are within range. Freeware tools and apps are available for all types of devices that will allow you to scan Bluetooth transmissions and get a view of what types of devices are near you (roughly 100 meters away at most). The stronger the Bluetooth signal, the closer the device.
Most of us name our devices something simple and easy to spot, such as our full name or email address. As a result, your device now advertises itself and others can see that “Bob’s watch” or “Bob’s laptop” is nearby. Human nature strikes again, because we typically leave our devices discoverable all the time for convenience.
What about Wi-Fi? Once you establish a connection to a Wi-Fi network, all the devices on the network are able to share multicast and broadcast traffic among each other. To address ease of use and discovery of services and devices on the network, multiple service advertisement protocols like Multicast DNS (mDNS/Bonjour), Universal Plug and Play (UPnP), and Microsoft’s Link Local Multicast Name Resolution start once you’ve joined the network.
These protocols advertise all types of capabilities into the network (printers, file sharing, remote login, applications, device synching, etc.). These protocols were originally developed for home/consumer to allow connecting to network devices by name instead of IP Address. They send out similar information to Bluetooth across both Wi-Fi and Ethernet, if you still own a device with an Ethernet port.
Typically, these service discovery protocols are limited to an Ethernet Segment or a Wireless SSID. However, with the advent of wireless controllers, I can have a SSID that spans an entire location, campus and enterprise. With that, I can see other connected devices and what services the devices are offering. This is not very useful on its own, but let’s move on.
The interesting part is when you take these two pieces of information, which are innocuous on their own, and correlate the information being offered. Take the following scenario:
You’re connected to an open Wi-Fi hotspot in a public venue and you also have Bluetooth enabled on your device. You scan the network for services and see a device named “bsmith’s-tablet” offering a bunch of services into the network. Some of the services are for applications that synch files between devices, and which are allowing full access to some information stored on that device. By the file names, you suspect bsmith might be a federal employee with some highly sensitive information on a BYOD tablet.
As you are a good-natured IT professional and don’t want this person’s information exploited, you decide to try and locate this individual to show them the error of their ways. There is no better way than to perform a Bluetooth scan and see if the person is near your location. When you do this, you see a fitness tracker advertising “bsmith’s-watch,” with a strong Bluetooth signal suggesting the person must be close. You glance around the room and you see a young man with a federal agency’s IT tag and with the letters BS monogramed on a briefcase. He’s about 15 feet away and is using a tablet.
While each of these pieces of information (Wi-Fi connection, Bluetooth device and personal monogram) alone don’t provide a lot of insight, the correlation of multiple pieces of information does. It doesn’t take a skilled hacker to obtain this information.
The moral of the story is simple: Know what information you are broadcasting into the world.
Some tips to stay safer:
- Turn off Bluetooth when you are not using it (or at least turn off discovery);
- Turn off your Wi-Fi when you’re not using it;
- Don’t name all your devices with the same naming convention (and don’t use your name);
- Don’t leave services enabled on your device that synch files or allow remote access when not connected to a secure network.