Exploit IoT devices and how to prevent via MDE | Enterprise IoT

MDE | Device Discovery

Microsoft Defender for Endpoint (MDE) devices scans the corporate network for different type of devices:

• Computers & mobile (supported O.S.; Windows, Mac, iOS & Android)
• Network devices
• IoT devices

The device discovery is enabled by default and cannot be disabled, only set in passive mode instead of active mode.

You cannot protect what you don’t know

The device discovery feature is part of the MDE P2 (or Microsoft 365 E5) license and gives insights in devices connected to the corporate network (asset inventory).

Enterprise IoT plan

The Enterprise IoT plan is an add-on license (30-day trial or licensed $65 per 100 devices/month) to enrich the devices with risk level (threat protection) and exposure level (threat prevention).

A 2nd component of the Enterprise IoT plan is the EIoT sensor which can scan the network for IoT devices via the SPAN port of the switch, often used in network segments without MDE devices.

Pro-tip: for Industrial IoT and OT devices it is better to use Microsoft Defender for IoT with the OT sensor deployed (out-of-scope of this blog).

Exposure Level

The exposure level gives valuable insights of security vulnerabilities of IoT devices. For example the device below has an outdated firmware version.

If we look deeper in the vulnerability, we see the CVE’s including score and Threats, for example CVE-2019–15993 has a public exploit available marked by the red Threat insights ‘bug’.

To mitigate the risk, it is important to update the software (including firmware) for the devices to the latest version to prevent exploits of the vulnerabilities and prevent unauthorized access to enterprise systems.

Exploit

To showcase how easy it is for anyone to exploit a vulnerability, see the exploit demo below in which we compromise the device username and password and gain access:

• Nmap <IP>; results port 80 & 443
• Access HTTP(s); access requires username & password but we could see it’s a Cisco Switch
• Google for Cisco vulnerabilities; found CVE-2019–15993
• Download the PoC and run the python script; output username & password
• Access the Cisco Management console with the exploited username & password

Pro-tip: in this demo the password was in the password list but if the password is not in the list the SHA1 hash is presented and can be easily decrypted via online toolkits, see the example

I hope this blog gives insights in the importance of keeping ALL devices including IoT devices up-to-date with the latest firm- and software and how the MDE | Enterprise IoT plan can help with valuable insights.

Disclaimer: Authenticated SNMP scan for network devices includes risk and exposure level as part of the MDE P2 license.