As employees purchase and connect millions of new IoT devices every year, they are increasingly bringing them to work and connecting them to corporate networks. This innocent act opens corporate networks to potential attack from competitors, hackers, and other adversaries.
Companies need to be aware of these shadow IoT devices and ensure they are protected against them, both through smart cybersecurity strategies, as well as by promoting a “security by design” approach with companies that manufacture these devices.
To help you learn more about shadow IoT, the experts from Kudelski Group have used their knowledge to answer our questions.
- What is shadow IoT and how does it typically creep into an organization?
It is often quite easy for individuals to add internet-connected devices or networks of devices to corporate networks without IT’s knowledge or approval. These devices range from personal fitness trackers or digital assistants to small networks of smart home devices connected wirelessly to each other. Typically users are adding these devices for personal convenience or to help them do their job, without understanding that they are potentially adding risk to the enterprise environment. And today, the vast majority of these devices are not secure by design.
- How much of a threat is Shadow IoT to organizations?
As part of our IoT division we have advanced evaluation Labs in Switzerland that review hundreds of products per year, breaking them down to the silicone to analyze potential vulnerabilities in both hardware design and the firmware that controls the device. From this experience, we have found that all of them have identifiable security flaws which increase the risk of compromise – weak device passwords or passwords stored in the clear, no data encryption, or unpatched software vulnerabilities. Many of them even have built-in security measures in their components, but fail to implement them. Additionally, a long-term security strategy for these devices is often an after-thought. This is especially true for consumer-oriented IoT devices that are likely to be the bulk of shadow IoT devices on a network. Because these devices can often be easily compromised remotely and are already attached to corporate networks, they represent an easy attack vector to access more valuable corporate assets. Our IoT team regularly advises product manufacturers on a ‘security by design’ approach that not only helps define a secure product architecture but also to plan ahead for ongoing security lifecycle management for their devices and ecosystem.
- What threats take advantage of shadow IoT? Have there been any examples of shadow IoT causing security issues or other problems? If not, what problems could shadow IoT deployments create for organizations (i.e. unsecured infrastructure as well as unsecured data, extra costs, redundancies, etc.)?
Insecure IoT devices can provide a point of initial access to corporate networks. Often this is as simple as logging in to internet-facing management consoles on one of these devices using default credentials that have not be changed. From there attackers may be able to use the devices to conduct reconnaissance, move laterally or even launch certain attacks inside the organization.
For example, there is a North American casino where the facilities management people installed a connected fish aquarium without consulting their IT department. A creative hacker used a vulnerability (WiFi password stored in the clear) to penetrate the casino’s internal networks.
- Have any cyberattacks happened as a result of shadow IoT deployments?
Yes. There are well-publicized instances of large-scale attacks that exploited consumer-oriented IoT devices, namely the Mirai and RIFT botnets. Whether IoT devices are sanctioned or unsanctioned by IT, they represent a risk to organizations which should be identified, analyzed and mitigated.
- What steps can/should an organization take to prevent shadow IoT from becoming an issue? What can an organization do if it already is a problem?
Visibility is the first step for either prevention or remediation of a shadow IoT problem. Organizations must understand what devices are connected to their networks before they can effectively address the challenge. Our philosophy is to build in security and effective management from the start, but there are a number of IoT-focused tools on the market that enable visibility and provide some context for how much risk is posed by a particular IoT device. With this knowledge, organizations can develop and apply a policy-based approach to isolate or block unknown IT and IoT devices which attempt to connect to corporate networks. As an example, many organizations allow these devices to connect but only to a network segment specifically for untrusted devices that has no access to corporate resources.
Ultimately, this problem will only be fully solved when consumer electronics companies and other device manufacturers start to take both initial security architecture as well as long-term security lifecycle management strategies more seriously. Often in the rush to innovate and beat their competitors, security is deprioritized and shortcuts are taken, leaving gaps that pass the problem down the line to corporate IT organizations. The security by design approach taken from the beginning not only prevents this but helps protect everyone across the entire value chain: manufacturer, consumer, and company networks.