You are here
The Internet is becoming a network of "things" instead of a network of traditional computers. These things can range from smartphones and tablets, to the devices that control HVAC systems, to the router that provides wireless Internet to your home. This subclass of Internet things is called embedded devices, and they are becoming more popular among convenience store businesses of all sizes.
Embedded systems are small computers that exist to perform a specific task. They can control weather stations or run the onboard systems in your car. C-stores may use them to control the lights and heat in the store.
While these embedded devices bring convenience and flexibility to c-store owners and their employees, they also may bring a variety of security issues.
As an "ethical hacker," I am often hired to perform penetration tests on businesses’ networks and applications. Penetration testing helps business leaders identify and remedy security vulnerabilities within their networks, applications and databases before criminals can exploit them. When I perform a test, I use the same tactics a real criminal would use so that the business knows exactly what it needs to fix.
In early 2013, a business in the oil and gas industry hired me to perform a penetration test on its network. The test included reviewing an embedded device that measures the level of fuel in the underground tanks at gas stations. To accomplish this task, the device has to be connected to the network so the fuel vendor can check these tank levels.
During the test, I found a series of undocumented vulnerabilities that allowed me to compromise the fuel controller within just 90 minutes. The device itself served as a jumping point for my attack; once I had compromised the device, I gained access to the company’s network and all of the computers connected to it. From there, it would have been trivial to obtain any sensitive data stored on company servers, including credit card data, social security numbers, intellectual property and other personal information.
Since embedded devices aren’t traditionally thought of as computers, they are typically overlooked when it comes to security, leaving a door open to cybercriminals looking to steal information.
So, what can you do to protect your network?
- Install a firewall and limit who can access it. Treat any embedded devices (or anything connected to your network, for that matter) as a possible entry point for an attacker. Generally speaking, only authorized users should be able to connect to embedded systems. If the entire Internet doesn’t need access to it, be sure to limit access using a firewall.
- Secure remote access. Deploy security technology that monitors who has access to the network and only gives access to specific users. You should also use two-factor authentication when users connect to the network.
- Ensure devices are tested for security flaws. Many companies overlook embedded devices when looking to perform penetration tests on their networks, databases and applications. Penetration testing on embedded devices is essential in helping businesses find and fix security weaknesses before it’s too late.
- Stay up-to-date on patches and updates from the vendor. Keep in touch with the embedded device developer and make sure you stay current with any security patches. Once a new security patch comes out for your device, make sure you install it.
- Make sure default passwords are changed. Oftentimes, embedded devices come with publicly known usernames and passwords. These are set at the factory and provided so you can log into the device and change settings. Be sure that any and all default accounts are changed before the device is connected to the network. Also, make sure to use strong passwords that include a combination of letters and numbers and are at least eight characters. Pass-phrases are the best option, with a combination of upper and lower case letters such as “Mydogisnamedbuck.”
- Bring in an outside team of security experts. Network management and monitoring can be complex and time consuming. Consider augmenting your staff by partnering with a managed security services provider that can install, fine-tune and manage your security controls and policies.