in

IoT security fail: The weird devices that employees are connecting to the office network

Over half of Internet of Things devices connected to enterprise networks are consumer-grade products – and the low levels of protection offered by these devices could potentially be putting businesses at risk of from cyber attacks.

Cybersecurity researchers at Zscaler analysed data generated by IoT devices generated by enterprises and found there has been a surge in unauthorised IoT traffic from devices connected to the network by employees. Staff connect the likes of smart watches, fitness trackers to their enterprise network to make things simpler but these could in turn undermine the security of business networks.

The top unauthorized IoT devices Zscaler observed include digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smart watches, and even automotive multimedia systems.

Analysis of over one billion IoT traffic transactions a month found that 83 per cent of these were happening over plain text channels, with just 17 percent using secure SSL channels to transmit data.

Devices using plain text to transfer traffic is risky because it leaves the data open to interception by outsiders, who could use traffic sniffing, eavesdropping, man-in-the-middle attacks and other exploits to gain access to data on the device.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The majority of websites have stopped sending traffic in plain text due to the associated security concerns, but given almost four in five IoT devices still transfer data in this way, it seems there’s still a long way to go before this part of the network is secure.

This is especially the case when you add the ever-growing number of IoT products being used in enterprise networks, either authorised devices or ‘shadow IoT’ devices which employees have connected to the network on their own accord. Zscaler said it had blocked 14,000 IoT-based malware attempts per month, seven times more than it recorded in its May 2019 research.

The rise in IoT devices is something which hackers are increasingly looking to exploit; large numbers of cheap IoT devices have little or no security, meaning that if they can be accessed from the internet, they could provide an attacker with an easy doorway onto a corporate network. Once inside the network, there’s the potential for the attacker to go about their malicious business.

That could be anything from corporate espionage an installing malware, to taking control of other IoT devices on the network and forcing them into a botnet for launching distributed denial of services (DDoS) attacks to take down other networks – as demonstrated by the Mirai botnet attacks of late 2016.

“We have entered a new age of IoT device usage within the enterprise. Employees are exposing enterprises to a large swath of threats by using personal devices, accessing home devices, and monitoring personal entities through corporate networks,” said said Deepen Desai, vice president of security research at Zscaler. 

“As an industry, we need to implement security strategies that safeguard enterprise networks by removing shadow IoT devices from the attack surface while continuously improving detection and prevention of attacks that target these devices,” he added.

One way in which IoT devices can be made more secure from outside interference is by users changing the default password the product is issued with.

READ MORE ON CYBERSECURITY


Source: Information Technologies - zdnet.com

UK financial watchdog admits to leaking confidential consumer data

Firefox for Mac and Linux to get a new security sandbox system