IoT – Shadowy Things ?

IOT – Security Implications for Enterprise Use

The Internet of Things (IoT) has been a game-changer in personal and professional realms. With simple, cost-effective devices, we’re now able to secure our homes, remotely manage climate control, and grant access to facilities—all at our fingertips.

And it’s not just in our homes. The availability of low-cost, wide-area network-enabled sensors and other devices has allowed a degree of optimization and automation that was previously unthinkable except in the most tightly controlled industrial settings. IoT is improving both the performance and efficiency of whole industries, including areas such as agriculture, health care, and logistics. Additionally, it is bringing the era of truly smart cities a step closer.

Shadow IT on steroids?

Yet, as we harness IoT to optimize operations, we face the many of the same challenges we faced with ‘Shadow IT’—the use of IT systems within organizations without approval. This comparison is apt due to several overlapping concerns:

• Lack of oversight: IoT devices are often added to enterprise environments with minimal scrutiny on their cybersecurity implications.
• Cybersecurity neglected: Security measures may be sidelined or overlooked, viewed more as hurdles than necessities.
• Device management is inconsistent: The upkeep of these devices is frequently inconsistent, with many left unsupported or unmonitored.

IoT devices also present challenges unique to their nature:

• Opaque network behavior: Their operations can be difficult to monitor or understand.
• Underestimation of value: They might not be viewed as critical business assets, leading to neglect.
• Background operation: Many devices operate silently in the background, making them easy to overlook.

Generally, anything that lurks in the shadows will present unseen risks.  IoT devices are no different.

The Concealed Dangers of IoT

The growth of IoT introduces compliance challenges as devices handle data interactions with the physical world, which may be secondary to their core function. The implications for data management and potential vulnerability to tampering are significant, with security often taking a backseat to functionality.

While IoT devices are marketed for their ease of use, this convenience can be a double-edged sword. Simplified setups can inadvertently make it easier for attackers to exploit vulnerabilities. It is hard to make software easy and convenient for legitimate uses without also making it easy and convenient for an attacker to achieve illegitimate ones.

And so we regularly come across apps controlling IoT devices over unencrypted connections using hardcoded default credentials.

For instance, consider this security camera setup:

GET /web/ HTTP/1.1

Host: 192.168.1.200

User-Agent: Mozilla/5.0 (X11; Linux ×86_64; rv:60.0) Gecko/20100101 Firefox/60.0

… [rest of the headers] …

Authorization: Basic YWRtaW46YWRtaW4=

Connection: close

Turns out that the “Authorization” code above is simply admin:admin in Base64.

This directly leads to the usual issues: an attacker could add the device to a BotNet, take control of it and abuse its hardware components, or access or compromise its data. An attacker could also use the device as a stepping stone into other internal systems or devices. What’s more, having such hard-coded credentials makes it difficult to patch security vulnerabilities without breaking the device.  As a result many IoT devices are poorly maintained. 

A real-world concern arises when enterprises lose sight of their IoT devices. Without regular maintenance, these devices can become sleeping security timebombs. We’ve encountered organizations with numerous IoT devices running unchecked due to uncertainty about their function and location—posing serious cybersecurity risks.

As we integrate more IoT devices into our daily lives and workspaces, it’s crucial to be proactive in understanding and mitigating the risks they pose. A holistic approach to IoT security can help ensure that we reap the benefits without compromising safety.

Embracing IoT with Awareness

IoT technology is forging our future, introducing interconnectedness that must be managed with caution. These devices should be treated with the same security rigor as computers, with dedicated policies for consistent updates and monitoring.

As IoT’s ecosystem flourishes, keeping abreast of technological vulnerabilities is as crucial as celebrating innovation. A commitment to continuous education and vigilance will enable organizations to benefit from IoT without sacrificing security.

In conclusion, integrating IoT into enterprise systems demands a balanced approach—valuing innovation while upholding strong security standards to avoid the pitfalls that accompany these advanced technologies.