By Chris Rouland Co- founder and Chief executive officer at Phosphorus Cybersecurity,
Enterprises today are putting themselves at risk by allowing vulnerable IoT devices into their businesses.
How many lightbulbs does it take to bring down an enterprise?
If it’s a smart lightbulb: only one.In what seemingly appears to be a quest for complete connectivity, enterprises are turning a blind eye to glaring vulnerabilities in IoT devices that threaten their very existence. When it comes to the Shadow IoT, their eyes are closed.
That smart lightbulb, which interacts with other IoT devices in the business, can potentially be hacked and used as a portal to ultimately infiltrate the network. Does it require physical access? Nope. A drone a quarter-mile away will work. It’s also been proven an IoT worm powered by lightbulbs could easily spread across a city with a speed that would make the latest flu pathogen jealous. This ultimately puts sensitive company and customer data and assets at risk of being compromised.
So when we talk about risky IoT devices in the enterprise, what are we talking about? Well if it connects to your network, just about anything.
Among the riskiest IoT devices in the enterprise:
Surveillance Cameras – Security cameras are the top targets for hackers. There have been recent stories of home security cameras being targeted allowing criminals to spy on and even speak with people in their own homes. This is happening in the enterprise as well. Vulnerable cameras can be easily compromised for a variety of purposes including network access, spying and burglary.
Printers/Copiers – A recent hack by TheHackerGiraffe targeted 50,000 printers worldwide in an effort to raise awareness about printer security. While this was a harmless stunt that caused printers to print out a simple message, a malicious hacker could have used this hack for more nefarious means.
Smart Light Bulbs – As noted above, a motivated hacker can use a single bulb as an entry point to the wider network where they are free to steal data and/or implant malware.
Medical Devices – This is one of the more concerning areas because not only does a hacked medical device give hackers access to the network, it can potentially affect the health of a patient resulting in a life and death situation.
Personal Devices – Smart devices, whether they are wearables or home devices, can potentially be used to access an enterprise’s network. For example, a corporate CEO’s home network could potentially be targeted and then be used to gain entry into the company network for exploitation.
So what can enterprises do to protect themselves and their customers from these growing IoT risks? A few things:
Update Firmware – This is among the easiest and yet most neglected thing that users can do to keep their devices safe. Device vulnerabilities are constantly being exploited and a simple firmware update can slam the door shut on these backdoor threats.
Change Default Passwords – Manufacturers often set simple default passwords for their devices that are not changed by users and can be easily accessed by hackers. A new law in California bans default passwords in IoT devices, but there are millions of vulnerable gadgets still out there just waiting to be hacked.
Avoid Knockoff Brands – Without mandated IoT security protocols in place, manufacturers make their own rules on the safety of their devices. For lesser-known brands with limited funds, security takes a back seat. Paying a few bucks less for an IoT device can potentially result in huge monetary losses if the vulnerable device is ultimately hacked. If you see glaring typo’s in product documentation, that might be telling as to the code quality under the hood.
Implement an IoT Security Plan – While IoT security is on the radar of CISO’s, many have yet to implement an enterprise-wide strategy. It is imperative that enterprises create a sound plan that incorporates everything from firmware updates to device monitoring to a security breach plan to protect themselves from a potential infiltration.
We’ve already seen large-scale attacks such as Mirai that used compromised IoT devices to carry out a DDoS attack against Dyn and take down Twitter, Netflix, Spotify, Etsy, and other major websites.
If it can happen to them… it can happen to your business as well.
Today’s IoT devices are really rogue, unmanaged Linux servers for the most part. They need to be managed and secured as any other asset in the enterprise would. Device segregation of insecure devices into their own insecure network neighborhoods is no solution, unless you want to see an IoT ghetto.
These IoT attacks are only expected to increase in 2019. To do nothing is a dangerous game of roulette that enterprises can’t afford to play.
Chris Rouland is co-founder and chief executive officer of Phosphorus Cybersecurity, Inc. A 25-year veteran of the information security industry, Chris is a renowned leader in cybersecurity innovation and disruption.