Smart equipment routinely being installed incorrectly by engineers or without being vetted… users bringing in their own smart tech gadgets… small businesses using insecure consumer tech to secure their premises. This invasion of ‘stealth tech’ presents a real threat to businesses.

Devices are easily locatable over the Internet allowing savvy hackers to take over system controls, introduce malware, or hop onto the corporate network to harvest data.

Screen caster or presentation systems are one example of the type of device that is often overlooked. Used to project laptop or tablet displays onto a larger screen so that presentations can be made to an audience, it’s the type of tech that tends to be swapped in and out without authorisation.

They’re typically wireless for ease of use and to enable the system to be situated out of the way which can, unfortunately, lead to a case of ‘ out sight of out of mind’.

In a recent sweep we located a vulnerable screen caster in a ceiling void behind a suspended ceiling which the IT security team were oblivious of. The device had numerous issues. It created a wireless access point with a default SSID and had no pre-shared key (PSK).

It was set to bridge both the wireless AND wired networks and the installer had plugged it directly into the corporate network. The embedded web server also had a default admin password that would be easy to obtain or crack.

Remote access

Now it could be argued that you’d need to be within local range in order to attack this device, making such attacks opportunistic. However, the SSID can helpfully be found on the location tracking site ‘Wigle’ (as can many other makes and models just by running a search for ‘wireless presentation’). Once identified, it then becomes possible target that specific business.

Poor installation by the audio visual supplier, weak default settings put in place by the manufacturer and a lack of security oversight by the organisation mean there are potentially legions of these systems out there exposing corporate networks.

Thankfully the system we looked at has since been updated to prevent the bridging issue but businesses need to ensure they’ve applied such patches or they could still be vulnerable.

It’s not just IT systems though. Building Management Systems (BMS) are often installed in ways that fail to comply with the manufacturer’s recommendations.

Trend Controls explicitly states that devices should be on isolated subnets and never exposed to the Internet yet there are more than a thousand of their BMS controllers locatable online via the ‘Shodan’ website deployed in businesses and organisations such as restaurants, military establishments, universities and schools.

One of the most worrying issues was the ‘guest’ user; if this had not been allocated, an outsider could access the system and name themselves, providing them with full access and the ability to open/close doors, activate/deactivate alarms, turn heating on/off or hop onto the network proper, all from the safety of their armchair.

To top it all off, some of the BMS systems we found had already been compromised by malware.

In other scenarios, we’ve found systems that technically don’t come under any internal authority at all. There have been vending machines which are hooked up to the corporate network, again potentially creating a point for the introduction of malware or a jumping off point on to the network.

SME errors

There’s also now a tendency for small businesses to install consumer-grade tech such as alarms, CCTV and DVRs.

Wireless alarms can be susceptible to signal jamming, allowing the attacker to trigger or deactivate the alarm and can also act as ideal pivot points onto internal networks, allowing further attacks to be mounted, and data exfiltration to take place. They have no anti-virus, no users to disrupt, and no one is going to question huge amounts of traffic coming in and out.

CCTV generally record footage to a DVR and the security of these systems is notoriously lax. It was DVR source code that succumbed to the Mirai malware that saw the most powerful DDoS attacks witnessed to date. Of course, business and home owners want to access their DVRs remotely to keep an eye on things.

The DVRs get opened up to the Internet using port-forwarding, and because of this, hundreds of thousands of them can quickly and easily be located on Shodan. We’ve even come across installers sharing passwords generated daily online, thereby removing one of the security obstacles for the attacker.

So far we’ve looked at sanctioned installs but stealth tech can also include personal devices. Just like with BYOD, users are now bringing in their own smart devices into the workplace. Each of these devices can expose the business in different ways.

It could be a seemingly harmless smart toy but did you know that can also be used as a covert surveillance device? Or the boss’s fitness tracker which can reveal when they’re out of the office and where they train? Or the humble kettle which you can activate from your desk but which also happens to be unconfigured and sharing your wireless PSK?

So what should you do to reduce these risks? Firstly, scan for unidentified wireless access points in and near the office to identify wireless devices. Secondly, when plugging in ANY auxiliary equipment do consult the security department.

By that we mean both IT security and physical security as there can often be a disconnect between the two, with BMS and CCTV or alarm systems not regarded as answerable to IT. If you’re installing an alarm, opt for wired rather than wireless and a graded alarm ie Grade 2 and when it comes to DVRs ensure these are segregated and don’t port forward to the Internet.

Finally, do educate your workforce on the do’s and don’ts of bringing in their own smart devices. All of the IoT needs to come under the security policy and nobody should be plugging in kit without first checking with the security bods.

Ken Munro is a partner at Pen Test Partners.