Rogue IoT devices are putting your network at risk from hackers

'Shadow IoT' devices are creating security holes within organisations that cyber criminals are looking to exploit.
Written by Danny Palmer, Senior Writer

Employees are bringing their own Internet of Things connected devices to the workplace and could be putting organisations at risk from cyberattacks because enterprise security teams aren't always aware that these devices are connected to the network.

People are increasingly turning to IoT products like fitness trackers, smart watches, medical devices and more in their everyday lives and in many cases they're connecting them to enterprise networks, but often they're doing this without disclosing it to their IT department.

According to figures from cybersecurity company Infoblox, almost half of organisations (46%) have discovered 'shadow' IoT devices on their network during the past year. Only a quarter of organisations found no shadow IoT devices on their network at all.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Employees connecting these products to the network is increasingly the norm, yet while it brings convenience for users, the increased use of connected devices – especially those that weren't known to the organisation – brings increased risk from cyberattacks and hacking.

Security standards for IoT devices aren't as stringent as they are for other products such as smartphones or laptops, so in many cases, it's been known for IoT manufacturers to ship highly insecure devices – and sometimes these products never receive any sort of patch either because the user isn't aware of how to apply it, or the company never issues one.

A large number of connected devices are also easily discoverable with the aid of IoT search engine Shodan.

Not only does this leave IoT products potentially vulnerable to being compromised and roped into a botnet, insecure IoT devices connected corporate networks could enable attackers to use something as trivial as a fitness tracker or a smart watch as an entry point into the network, and use it as means of further compromise.

SEE: What is the IoT? Everything you need to know about the Internet of Things right now

"Personal IoT devices are easily discoverable by cybercriminals, presenting a weak entry point into the network and posing a serious security risk to the organisation. Without a full view of the security policies of the devices connected to their network, IT teams are fighting a losing battle to keep the ever-expanding network perimeter safe," said Malcolm Murphy, technical director for EMEA at Infoblox.

In order to protect against the threat posed by shadow IoT, the report recommends organisations must ensure that they're fully aware of what devices are connected to the network and ensure that any suspicious or unknown web traffic is quickly identified. Any IoT devices on the network should also avoid using default passwords.



Editorial standards