A report released in May by cloud security firm Zscaler discovered that consumer-class Internet of Things (IoT) devices continue to proliferate within enterprise networks and revealed that these IoT devices are exposing companies to a variety of cyber-attacks. The 2019 IoT Threats Report study was conducted by researchers at ThreatLabZ, an embedded team in Zscaler.
With the aim of examining how vulnerable the average enterprise is to IoT cyberattacks today, the researchers gathered IoT device usage data over a period of one month from more than 1,000 enterprise organizations that are currently running at least one IoT devices in their network.
They found that many consumer devices were prevalent in these corporate settings – the top four IoT devices most often seen in the study were: set-top boxes, smart TVs, smart watches, and media players.
Another report released in August by Microsoft stated that Russian state-sponsored hackers are exploiting the weaknesses of various vulnerable IoT devices in the office to breach enterprise networks.
A blog alert published by Microsoft’s Security Response Center exposed hacking efforts that it attributed to the Russia-based hacking group known as Strontium (aka Fancy Bear), which is thought to be behind the infamous Democratic National Committee (DNC) hack in 2016, and several other cyberattacks since.
In April this year, researchers in the Microsoft Threat Intelligence Center, one of the tech giant’s cyber-security divisions, discovered that hackers were compromising three popular IoT devices – a VoIP phone, an office printer, and a video decoder across multiple customer locations to breach computer networks.
Here are the top three risk factors that consumer devices bring to enterprise networks:
The common use of default and easy passwords is a weakness many malware families such as Mirai, Gafgyt, and Hakai like to exploit when targeting IoT devices. "Often, the IoT malware payloads contain a list of known default username/password names, which, among other things, enables one infected IoT device to infect another," the Zscaler report noted.
The Microsoft alert highlighted the same problem saying, “The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.”
The Zscaler study found that the organizations examined were running 270 different IoT device profiles from 153 different IoT manufacturers and that these devices were pumping out 56 million device transactions over the course of a single month – and most of this IoT data is unencrypted.
Researchers found that 91.5% of IoT transactions were unencrypted (conducted over a plaintext channel), 41% of devices did not use Transport Layer Security (TLS) at all, 41% used TLS only for some connections and only 18% used TLS encryption for all traffic. Devices that don't encrypt their connections are particularly vulnerable to Man-in-the-middle (MitM) attacks.
Lack of Robust Policy
Both the Zscaler and Microsoft reports show that the risks presented by consumer IoT devices to enterprise networks are reminiscent of, and related to, the bring-your-own-device (BYOD) challenges that were first presented by the early days of the smartphone boom back in 2010.
Unfortunately, many enterprises are still not paying attention. Another study released by Ponemon Institute in May found that only 5% of organizations say they keep an inventory of all managed IoT devices, 49% of enterprises do not regularly scan for IoT devices in the workplace, and only 8% say they have the capability to scan for IoT devices in real-time.
IoT Is Here to Stay
Consumer IoT devices can’t be kept out of the workplace because employees simply can’t live without them – the reality of modern employment is that our work and personal lives are enmeshed in complex ways. Therefore, organizations need to focus on how to not only accommodate but also make the most of this BYOD phenomenon, without compromising their enterprise networks. This calls for careful systems planning and deliberate cybersecurity measures to keep the cybercriminals out.
Need help with effects of IoT devices in your business?
Let the professionals at ASB Resources help you. As a four-time nominee to the Inc. 5000 list, we have the expertise to help your organization leverage the power of IoT devices in the workplace without allowing them to compromise the cybersecurity of your enterprise networks. Schedule a chat with one of our experts today!