Internet of Things: A security threat to business by the backdoor?

Tech chiefs are worried by the threat posed by IoT devices, which could provide a new way of attacking corporate networks.
Written by Steve Ranger, Global News Director
The rise of the Internet of Things (IoT) has already sparked concerns about privacy: now security pros are worried that badly configured gadgets might provide a backdoor for hackers looking to break into corporate networks.

The rise of the IoT could lead to all sorts of devices being connected to the internet, from smart energy meters, lighting or air conditioning systems through to that perennial industry darling the smart fridge.

Research firm IDC predicts there will be over 28 billion IoT devices installed by 2020, while fellow analyst Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30 per cent from 2014, and will reach 25 billion by 2020. But this expansion in connectedness brings new security threats.

The chair of the Federal Trade Commission warned recently that the small size and limited processing power of many connected devices could limit the use of encryption and other security measures; it may also be difficult to patch flaws in low-cost and essentially disposable IoT devices.

IoT: an open backdoor

Now, research from security company Tripwire suggests that firms are worried about buggy IoT gadgets, which could provide a backdoor into their corporate networks.

According to Tripwire's survey, two thirds of executives who responded said that business efficiencies will force them to adopt IoT devices despite the security risks. However, only a third of CISOs expect to receive additional funding to mitigate these risks in the next 12 to 24 months.

More than half of the executive-level respondents said that the deployment of IoT devices is ahead of the technology necessary to protect them. Nearly three quarters (71 percent) of executives believe that the security needed to lock down IoT devices is between 12 and 24 months behind the deployment of these devices.

Less than half of the IT professionals surveyed have confidence in the secure configuration of IoT device types. Even fewer think that more exotic types of IoT device can be secured.

As a result, IoT devices will make it easier for attackers to gain access to corporate networks, Tripwire claims.

It's far more likely that employees will be infected with malware outside the enterprise said Craig Young, security researcher for Tripwire, warning that employees routinely use smartphones and tablets on untrusted networks or download suspicious apps from third-party app stores.

"These devices are now used to control and charge IoT devices, which are not designed with security in mind. The risk of cross contamination from home networks can be very serious unless enterprises strictly enforce security controls," he said.

"Many IoT devices plug into computers via USB for charging, and USB is a very common attack vector," added Young. "It's quite easy to imagine IoT malware designed to exploit known vulnerabilities in USB."

"The reality is that there is relatively little guidance on how to configure peripheral network devices and there is a surprising lack of configuration standards for everything else, especially IoT, ICS and SCADA devices," said Adam Montville, SCM analyst for Tripwire. The company surveyed 404 IT professionals and 302 CISOs, CIOs and director-level IT management in the UK and the US.

Editorial standards