IoT Guidance
Category Definition
The Internet of Things (IoT) describes physical devices with embedded communications and data processing capabilities. IoT devices connect and exchange data with other networked computers without human interactivity.
Why a defender should care about IoT
IoT devices, from light bulbs to corporate meeting room controllers, can be found everywhere. These devices may go unseen and be poorly maintained and unpatched, making them vulnerable to attacks. IoT devices often appear as shadow IT assets added to networks outside of standard policies due to their small form factors combined with simple configurations. These devices, if compromised, can grant attackers initial access (https://attack.mitre.org/tactics/TA0008/) and offer a safe point of lateral movement (https://attack.mitre.org/tactics/TA0008/) within networks. IoT devices, particularly consumer-grade equipment, may maintain access to their manufacturers over the internet. IoT channels used to call home open the network to external threats delivered via the manufacturer. Third-party risks associated with IoT should not be discounted or overlooked.
Why an attacker is interested in IoT
IoT devices are network-attached computers with limited computation capabilities making them difficult to defend. Defenders easily miss rogue IoT systems without advanced monitoring capabilities. In general, IoT systems typically do not allow the installation of defensive tools and offer limited monitoring or secure configuration options, thereby offering no means of enforcing least privileged access. Attackers gaining access to IoT often find they can achieve the same (or more) capabilities and privileges as the device owner. Many IoT devices include functional general-purpose operating systems. Attackers will find it easy to leverage their existing toolset on these IoT systems without much, if any, modification. Weak defenses and accessible operating environments with little defender monitoring combine to make IoT interesting targets for attackers.