[Reading time - 2 minutes 45 seconds]
What would you think if the CEO of Apple came out and said, "Nobody really wants to hack us." Or the CEO of Google said, "Attackers aren't interested in targeting us." Or the CEO of Amazon said, "We're not on any attacker's radar screen."
It would be very surprising--probably shocking--to hear a CEO in today's cybersecurity environment say that attackers are not interested in them. But that's exactly what happened recently. Could it be true that attackers are not interested in this particular company? Or is this CEO just naive?
A new startup called View manufactures and installs "smart windows" that automatically adjust to sunlight and glare. These blue-tinted windows are not cheap: they cost about five times as much as traditional glass windows. However, View windows have several advantages. Of course, they reduce cooling costs by blocking heat from sunlight. And they can eliminate the needs for blinds or window treatments. Also, if a criminal breaks one of the windows, police can immediately be notified. Finally, View windows allow more people to fit into a building. Because View windows reduce glare and heat from the sun, employees can be seated in areas that they could not normally due to the heat and glare. One organization that is installing View windows will be able to put the same number of employees in one-third of the space.
All View windows are interconnected: they are attached to the organization's local area network (LAN) through which they can then be accessed over the Internet. In fact, each View window has its own IP address. This enables the windows to also be controlled by an app on a smartphone.
Now back to the CEO and his statement. The View CEO recently said about View windows as quoted in the Wall Street Journal, "The good news is the window's not that interesting to hack."
Sorry, but I very much disagree.
There are three reasons why View windows ARE interesting to attackers to hack.
1 - ENTRY POINT INTO THE OWNER'S CORPORATE NETWORK.
Internet of Things (IoT) devices, like View windows, are very much the target of attackers because these devices lack security. Earlier this week (Aug 5 2019) the Microsoft Threat Intelligence Center said that attackers working for the Russian government have been using printers, video decoders, and similar IoT devices as a beachhead or entry point to penetrate targeted computer networks. “These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” Microsoft said. In other words, these IoT devices with little or no security allowed an attacker an entry point into the network. Attackers would then pivot to move through the network in search of higher-privileged accounts that would grant access to higher-value data.
So, a company that has View windows installed are creating an entry point into their own corporate network for attackers.
2 - ATTACK POINT AGAINST OTHER NETWORKS
For several years threat actors have compromised unprotected IoT devices and then gathered them into a botnet. These botnets are used to attack other devices or networks. Most notably, IoT-based botnets have been used to launch distributed denial of service or DDoS attacks.
So, a company that has View windows installed could find that these windows are a launching point for other attacks.
3 - BACKFLOW INTO VIEW'S OWN NETWORK.
You can go to the View website and download the "View Dynamic Glazing Integrated Control Network - Reference Section 25 13 00" to check out their View window security. You'll see that View requires that all their Windows have remote connectivity back to View's headquarters for View to "commission, configure, monitor, and maintain the system." In this document there are a list of different options that an organization can use for allowing this remote access. However, an attacker who can circumvent these protections can "backflow" back into the View network. That's right: because the View windows are remotely connected back to View's own network, an attacker could compromise the View window belonging to another company and then sneak back into View's own network to infect it.
So, View windows could allow an attacker entry into View's own network.
The CEO of View said, "The good news is the window's not that interesting to hack."
The bad news is that View windows ARE very interesting to hack. The worse news is that View is evidently not taking these risks very seriously.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.