IoT security: Shadow devices pose growing threat to networks – report

IoT security: Shadow devices pose growing threat to networks – report

Unauthorised devices introduce “immense security risk”, according to report.

IoT devices, as well as personal devices such as laptops, tablets, and smartphones, pose a grave threat to enterprise networks, according to a new report from automation and security company, Infoblox.

The report titled, ‘What is lurking on your network: Exposing the threat of shadow devices’ reveals that over one-third of companies in the US, UK, and Germany (35 percent) have reported more than 5,000 personal devices connecting to their networks each day.

Employees in the US and UK admitted to connecting to the enterprise network for a number of non-work-related reasons, including to access social media (39 percent), as well as to download apps, games and films (24 percent, 13 percent and seven percent, respectively). These practices open organisations up to social engineering hacks, phishing, and malware injection, says the report, as well as tie up valuable network resources.

Infoblox also found that one-third of companies in the US, UK, and Germany report more than 1,000 shadow IoT devices connecting to their networks on a typical day, with 12 percent of UK organisations reporting more than 10,000 such connections.

Among the most common devices found on enterprise networks are: fitness trackers, such as FitBit or Gear Fit (49 percent); digital assistants, such as Amazon Alexa and Google Home (47 percent) devices; smart TVs (46 percent); smart kitchen devices, such as connected kettles or microwaves (33 percent); and games consoles, such as Xbox or PlayStation (30 percent).

Shodan shows the way to IoT

According to the report, such devices are easily discoverable by cybercriminals online via search engines for internet-connected devices, such as Shodan. Via these resources, even low-level criminals have a simple means of identifying the vast numbers of devices on enterprise networks that can be targeted for vulnerabilities.

For example, in March 2018, there were 5,966 identifiable cameras deployed in the UK and 2,346 identifiable – and therefore hackable – smart TVs on enterprise networks in Germany.

Internet of Business recently published a report on the problem of unsecured cameras in offices, schools, hospitals, gyms, restaurants, and public spaces. As that report explained, dedicated search engines, such as Insecam, exist for the tens of thousands of unprotected cameras that are online worldwide, allowing anyone to not only watch whatever these cameras are recording live on the internet, but also to identify the camera by manufacturer and, potentially, hack the device.

Policy challenges

Infoblox says that to manage the threat posed to enterprise networks by shadow personal and IoT devices, 82 percent of organisations have introduced new security policies. However, IT leaders appear misguided in their estimation of how effective these policies are, says the company.

While 88 percent of the IT leaders that responded to the survey believe that their security policies are either “effective” or “very effective”, nearly one-quarter of employees in the US and UK (24 percent) did not know if their organisation even had a security policy.

Gary Cox, technology director Western Europe at Infoblox said that due to the poor security levels of many consumer and IoT devices, there is a very real threat posed by those operating under the radar of organisations’ standard security policies. “These devices present a weak entry point for cybercriminals into the network, and a serious security risk to the company,” he said.

“Networks need to be a frontline of defence; second only to having good end-user education and appropriate security policies. Gaining full visibility into all connected devices, whether on premise or while roaming, as well as using intelligent DNS solutions to detect anomalous and potentially malicious communications to and from the network, can help security teams detect and stop cybercriminals in their tracks.”

Internet of Business says

This is a timely and useful report, because it reminds us that while many enterprise security policies have been expanded to include ‘bring your own device’ (BYOD) schemes – and thus gain the productivity and cost benefits of allowing employees to use their own, preferred technologies for work – there is an inbuilt assumption that this mainly includes smartphones, tablets, and laptops.

The finding that a broad range of other devices, many of which have known security flaws, are being allowed en masse onto corporate networks – under the radar in many cases – and can easily be discovered by specialist search tools, may alarm IT managers.

With GDPR being introduced this month, the imperative to take a smarter view of enterprise security could not be clearer – particularly in the wake of numerous reports which reveal that IoT security strategy is poor in many organisations, with many also failing to take even basic precautions with IoT devices.

If you don’t take these issues seriously, then we advise you to search for “unsecured cameras [or devices] live” and see for yourself.

Here is a selection of our recent IoT security reports:-