ChatGPT Amplifies IoT, Edge Security Threats
ChatGPT can be a useful customer service agent. Unfortunately, customers aren’t the only ones it helps, especially now that ChatGPT sits on many IoT and edge devices.
The Internet of Things (IoT) and edge computing have vexed enterprise security efforts for years now. Given the added complexities of work-from-home and hybrid work arrangements, the situation has considerably worsened recently. Now comes ChatGPT to sit atop most IoT and edge devices, effectively adding a welcome beacon -- or even a helping hand -- to threat actors everywhere.
"Existing vulnerabilities, especially in the context of AI and ChatGPT-enabled or assisted attacks against edge devices and users, can be leveraged against businesses in different ways,” says Jim Broome, President and CTO at DirectDefense.
Despite variances in vulnerabilities and diverse efforts to exploit them, threats from the edge originate from one of two IoT realms: home IoT and enterprise IoT.
In many cases, employee home networks and the data therein are the preferred targets for threat actors.
“Once inside the home network, attackers can then pivot back into the corporate network, potentially compromising sensitive business information via a ‘blessed user or home network,’” Broome says.
But that’s not to say that enterprise IoT and edge devices are locked tight against more direct intrusions.
“Ransomware threat actors, for example, can exploit IoT vulnerabilities as a starting point to carry out their malicious campaigns, potentially causing significant damage and disruption to business operations,” Broome adds.
The Evolving Threatscape in Enterprise IoT
IoT and edge computing usage is up, both on the home and enterprise fronts. While IoT is a highly fragmented market, a view of even a few categories underscores the continued and unfettered growth across the board. Gartner pegs spend on IoT in the enterprise space and across key industries at over $268 billion in 2022. Deloitte projects worldwide spending on software and hardware related to IoT to rise to $1.1 trillion this year.
But the challenges aren’t just tied to the growing number of IoT and edge devices being purchased and deployed. An increasing variety in the types of IoT are causing issues, too.
“The diversity of edge and IoT devices, ranging from switches, routers, and sensors to point-of-sale systems, industrial robots, and automation equipment, also adds an additional layer of complexity and security vulnerability due to the variations in protocols, functions, and security capabilities,” explains James Joonhak Lee, a senior manager in Deloitte’s US Cyber & Strategic Risk practice.
If you think vendors and buyers have gotten better at securing these devices after all this time, think again. Botnet armies and DDoS attacks frequently spring from unprotected IoT devices seemingly as innocuous as hotel lobby aquarium thermostats, home smart refrigerators, and company coffee pots in break rooms.
“IoT devices in particular, and edge devices in general, are the most vulnerable within an organization,” says John Gallagher, VP of Viakoo Labs, a research unit focused on IoT and OT security management.
Where Home and Work Dangers Meet
IoT and edge computing spawn vulnerabilities elsewhere, too. For example, an ever-expanding edge-computing space compounds security problems for enterprises -- especially on the border between enterprise and consumer usage.
“Modern image archive systems, called PACS, connect scanners like an ultrasound or a CT scanner with patient management systems,” explains Dirk Schrader, VP of Security Research at Netwrix. “Currently, PACS servers become more and more connected to the public internet, so that patients and physicians can access the data. Quite often even basic precautions are not in place for these IT infrastructures. They are not hardened.”
Growing enmeshment between enterprise and consumer IoT and networks blurs the boundaries and sharply defines the opportunities for attackers.
Dangers and damages flow both ways, too.
“At the moment, there are about 200 of such unprotected archives [PACS servers] connected to the public internet within the US alone. Attackers can exploit them, exfiltrate or encrypt the data to extort the organization, use the data to run medical insurance fraud against the patients, or change the medical imagery so the process itself is corrupted,” Schrader says.
But this crossroads between consumer and professional connections is not the only collision point for enterprises. The things themselves have cross-uses to be wrecked. Autonomous vehicles, for example, exist in both commercial and consumer versions. Attacks are easily transported to the enterprise and the user whether the vehicles are a commercial fleet, a vehicle for rent or hire, or owned by a worker begrudgingly returning to work in the office again.
And then there is the steady march of home IoT -- from nanny cams to smart meters and kids’ toys -- on the occupant’s employer.