Security firm finds a fridge, a smart lamp connected to corporate networks
Half of all the IoT devices interacting with business networks are actually consumer devices, many of which have incredibly inadequate security.
The figure is from cybersecurity firm Zscaler whose own software was at one point last year blocking more than 2,000 pieces of IoT-based malware. Now that number has skyrocketed to 14,000 malware attempts every month.
A key discovery by the cybersecurity firm following an analysis of IoT traffic is that while enterprises are embracing the connectivity and agility of workforces, enterprise and personal devices are getting mixed together as workers use both at home and in work. A lot of the IoT enterprise traffic identified is actually generated by unauthorised IoT devices such as smart home devices, digital home assistants and smart watches.
Zscaler note that: “What this tells us is that employees inside the office might be checking their nanny cam over the corporate network. Or using their Apple Watch to look at email. Or working from home, connected to the enterprise network, and periodically checking the home security system.”
This is opening up a range of security vulnerabilities as according to Zscaler, 83 percent of IoT transactions are done in plaintext channels and incredibly only 17 percent are done so using encrypted SSL, making it easier for an adversary to launch a man-in-the-middle attack or just sniff traffic.
Consumer IoT Connecting to Business Networks
IoT device use is expected to grow exponentially, with IoT Analytics predicting that the number of IoT devices in 2025 will hit 11 billion.
Zscaler crunched the numbers on nearly 500 million transactions coming from more than 2,000 organisations over two weeks.
When they looked at the type of IoT device used they found that more than half of the devices were related to set top boxes and smart TVs.
The majority of traffic however was coming from data collection terminals which account for 56 percent of the traffic recorded. Overall 41 percent of the device analysed were not using SSL security.
Zscaler notes that: “This would be an enormous blind spot in an organization with a more legacy approach to networking and security since organizations should be inspecting all encrypted traffic.”
The manufacturing and retail industries generated the most IoT traffic volume at 56.8 percent. In manufacturing and retail verticals, the Zscaler team identified 57 different device types from 20 manufacturers, including 3D printers, geolocation trackers, industrial control devices, automotive multimedia systems, data collection terminals, and payment terminals.
Two interesting devices the firm discovered connecting to the cloud were a smart refrigerator made by Samsung that had the ability to stream music and video content directly from a user’s phone to a screen on the fridge door. It also found itself tracking the traffic of a piece of furniture that contained a smart media player and a controllable lamp.
Amid the seemingly intractable issue of desperately poor IoT security, the UK is planning to mandate a minimum of three security standards for consumer Internet of Things (IoT) devices, it confirmed last month.
The three standards include a demand on original equipment manufacturers that all device passwords are unique and not resettable to factory settings; that companies provide a clear vulnerability disclosure contact, and that OEMs “explicitly state” for how long their IoT products will get security updates.
Critics have suggested that enforcement is likely to be weak.