Prevalence of IoT may leave networks vulnerable to attacks

Devices that use the Internet of Things (IoT) are prevalent in highly regulated industries and the infrastructure supporting those devices is vulnerable to security flaws, according to a recent study.

By Gregory Hale, ISSSource August 11, 2015

IoT devices are connecting to corporate networks, but are not up to the same security standards as other connections, according to “The 2015 Internet of Things in the Enterprise Report,” a global data-driven security assessment of IoT devices and infrastructure found in businesses from OpenDNS. Using data from the billions of Internet requests routed through OpenDNS’s global network daily, the report details the scale to which IoT devices are in enterprise environments and uncovers specific security risks associated with those devices. 

The report, authored by OpenDNS director of security research Andrew Hay, includes:

  • IoT devices are actively penetrating some of the world’s most regulated industries including healthcare, energy infrastructure, government, financial services, and retail.
  • There are three principal risks IoT devices present to the enterprise: IoT devices introduce new avenues for potential remote exploitation of enterprise networks; the infrastructure used to enable IoT devices is beyond the user and IT’s control; and IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched.
  • Some networks hosting IoT data are susceptible to highly-publicized and patchable vulnerabilities such as FREAK and Heartbleed.
  • Highly prominent technology vendors are operating their IoT platforms in known “bad Internet neighborhoods,” which places their users at risk.
  • Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon out to servers in the U.S., Asia, and Europe—even when not in use.
  • Though traditionally thought of as local storage devices, Western Digital cloud-enabled hard drives are now some of the most prevalent IoT endpoints observed. These devices are actively transferring data to insecure cloud servers.
  • A survey of more than 500 IT and security professionals found 23% of respondents have no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s networks.

“This report shows conclusively that IoT devices are making their way into our corporate networks, but are not up to the same security standards to which we hold enterprise endpoints or infrastructure,” Hay said. “Our hope is that by using this report, security professionals and researchers can better understand the security implications of the IoT devices in their own environments.”

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource. Edited by Joy Chang, Digital Project Manager, CFE Media, jchang@cfemedia.com.

Original content can be found at www.isssource.com.