IoT security fail: The weird devices that employees are connecting to the office network

Researchers warn that there's more and more unauthorised connected devices on corporate networks - and that they could provide easy pickings for cyber criminals.
Written by Danny Palmer, Senior Writer

Over half of Internet of Things devices connected to enterprise networks are consumer-grade products – and the low levels of protection offered by these devices could potentially be putting businesses at risk from cyberattacks.

Cybersecurity researchers at Zscaler analysed data generated by IoT devices in enterprises and found there has been a surge in unauthorised IoT traffic from devices connected to the network by employees. Staff connect the likes of smart watches and fitness trackers to their enterprise network to make things simpler but these could in turn undermine the security of business networks.

The top unauthorized IoT devices Zscaler observed include digital home assistants, TV set-top boxes, IP cameras, smart-home devices, smart TVs, smart watches, and even automotive multimedia systems.

Analysis of over one billion IoT traffic transactions a month found that 83%  of these were happening over plain text channels, with just 17% using secure SSL channels to transmit data.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Devices using plain text to transfer traffic is risky because it leaves the data open to interception by outsiders, who could use traffic sniffing, eavesdropping, man-in-the-middle attacks and other exploits to gain access to data on the device.

The majority of websites have stopped sending traffic in plain text due to the associated security concerns, but given almost four in five IoT devices still transfer data in this way, it seems there's still a long way to go before this part of the network is secure.

This is especially the case when you add the ever-growing number of IoT products being used in enterprise networks, either authorised devices or 'shadow IoT' devices that employees have connected to the network on their own accord. Zscaler said it had blocked 14,000 IoT-based malware attempts per month, seven times more than it recorded in its May 2019 research.

The rise in IoT devices is something which hackers are increasingly looking to exploit; large numbers of cheap IoT devices have little or no security, meaning that if they can be accessed from the internet, they could provide an attacker with an easy doorway onto a corporate network. Once inside the network, there's the potential for the attacker to go about their malicious business.

SEE: IoT security is bad. It's time to take a different approach

That could be anything from corporate espionage and installing malware, to taking control of other IoT devices on the network and forcing them into a botnet for launching distributed denial of services (DDoS) attacks to take down other networks – as demonstrated by the Mirai botnet attacks of late 2016.

"We have entered a new age of IoT device usage within the enterprise. Employees are exposing enterprises to a large swath of threats by using personal devices, accessing home devices, and monitoring personal entities through corporate networks," said Deepen Desai, vice president of security research at Zscaler. 

"As an industry, we need to implement security strategies that safeguard enterprise networks by removing shadow IoT devices from the attack surface while continuously improving detection and prevention of attacks that target these devices," he added.

One way in which IoT devices can be made more secure from outside interference is by users changing the default password the product is issued with.


Editorial standards