Remediation for IP phones and IoT devices

[Rurrugaw]

I work in a Cybersecurity organization. Last week we discovered that many IP addresses for VoIP phones and "Internet of Things" (or IoT) devices like IP cameras were trying to contact forbidden IPs out on the internet. For regular computers advertising deleted - moderator, the remediation for this would have been to conduct a Complete Virus Scan or a re-imaging of the affected device.

Not so simple for IP phones or other IoT devices such as IP cameras. We had come to a heated discussion about these in a meeting as there had been no standardized process to remediate these.

What has been your experience in your companies, organization, or from professional education as to what the best practice is in remediating IoT (or non-PC) devices?

Thanks in advance for your opinion.

 

[unclejed613]

keep known good copies of firmware images for all of the devices, and check with the manufacturer often for security updates. sandbox everything before deployment, and make sure there's no unusual behavior to begin with. insure the firmware settings are as locked down as you can get them. there have been a bunch of IoT botnets, some of them use up cpu time and resources for mining bitcoin, and some of them try to exfil data from machines in the local network. wherever possible, try to use IoT devices that have open source firmware and software on them. if you have a proprietary "blob" in a piece of equipment, you have no way of knowing exactly what it is doing, and who it's "phoning home" to. with open source code, you can have the code audited for security. look up on youtube for DEFCON, BlackHat, and C3 IT security conferences to get a good overview of what to look for.

 

[Dr_Doggy]

forbidden IPs ?you mean nickey-nine door is illegal?

do you feel this was an attack? was there dangerous payload attached?
sometimes when i try to set the email alert on my camera i give up half way through and leave whatever settings i muddled in there...
sometimes my isp changes my ip and i spend an hour pinging trying to figure out why i cant get home. .. now my server runs special monitor to email me on ip changes, it also datalogs anything sent up the port

but camera doesnt run apps... an i dont much see them getting hijacked firmware uploaded to it ... is this what you are suspecting?

i like app permissions on my cellphone, it stops my games from using tonns of background data....
and the knox bit which tells me if phone is rooted.

 

[ronsimpson]

but camera doesnt run apps... an i dont much see them getting hijacked firmware uploaded to it ... is this what you are suspecting?

There is information about network printers getting new software and doing bad things with out being told to update. (could be fake news)
I think a camera could do a denial of service attack. It could send large amounts of data to some company unless they pay money. Its not one camera but thounds that take down a system.

 

[Nigel Goodwin]

Advertising spam thread locked