It is often quite easy for individuals to add internet-connected devices or networks of devices to corporate networks without IT’s knowledge or approval. These devices range from personal fitness trackers or digital assistants to small networks of smart home devices connected wirelessly to each other. Typically users are adding these devices for personal convenience or to help them do their job, without understanding that they are potentially adding risk to the enterprise environment. And today, the vast majority of these devices are not secure by design.
As part of our IoT division we have advanced evaluation Labs in Switzerland that review hundreds of products per year, breaking them down to the silicone to analyze potential vulnerabilities in both hardware design and the firmware that controls the device. From this experience, we have found that all of them have identifiable security flaws which increase the risk of compromise - weak device passwords or passwords stored in the clear, no data encryption, or unpatched software vulnerabilities. Many of them even have built-in security measures in their components, but fail to implement them. Additionally, a long-term security strategy for these devices is often an after-thought. This is especially true for consumer-oriented IoT devices that are likely to be the bulk of shadow IoT devices on a network. Because these devices can often be easily compromised remotely and are already attached to corporate networks, they represent an easy attack vector to access more valuable corporate assets. Our IoT team regularly advises product manufacturers on a ‘security by design’ approach that not only helps define a secure product architecture but also to plan ahead for ongoing security lifecycle management for their devices and ecosystem.
Insecure IoT devices can provide a point of initial access to corporate networks. Often this is as simple as logging in to internet-facing management consoles on one of these devices using default credentials that have not be changed. From there attackers may be able to use the devices to conduct reconnaissance, move laterally or even launch certain attacks inside the organization. For example, there is a North American casino where the facilities management people installed a connected fish aquarium without consulting their IT department. A creative hacker used a vulnerability (WiFi password stored in the clear) to penetrate the casino’s internal networks.
Yes. There are well-publicized instances of large-scale attacks that exploited consumer-oriented IoT devices, namely the Mirai and RIFT botnets. Whether IoT devices are sanctioned or unsanctioned by IT, they represent a risk to organizations which should be identified, analyzed and mitigated.
Visibility is the first step for either prevention or remediation of a shadow IoT problem. Organizations must understand what devices are connected to their networks before they can effectively address the challenge. Our philosophy is to build in security and effective management from the start, but there are a number of IoT-focused tools on the market that enable visibility and provide some context for how much risk is posed by a particular IoT device. With this knowledge, organizations can develop and apply a policy-based approach to isolate or block unknown IT and IoT devices which attempt to connect to corporate networks. As an example, many organizations allow these devices to connect but only to a network segment specifically for untrusted devices that has no access to corporate resources.
Identify the most likely security risks and their potential impact.