When the topic of IoT security comes up, it’s often considered a consumer security issue – fancy controllable houselights, baby monitors, home security systems, and anything else that can be networked. That’s a mistake and IoT devices are certainly marching onto the enterprise. Earlier this week Zscaler published results that took a look at IoT security, and they found a number of enterprise devices were comprised, as well as a number of other startling results.
According to this post, IoT devices in the enterprise, ZScaler took a look at IoT data from July 2016. The analysis included types of devices, protocols used, server location, and traffic frequency. The analysis included the days that cybersecurity blogger Krebsonsecurity came under intense DDoS attacks.
Here’s a shocker: (well, not a shocker) many devices made for consumers ended up on enterprise networks.
Zscaler also found that consumer devices frequently appeared inside enterprises, such as the Chromecast and Roku players, as well as smart TVs. The media players were not insecure, however the Smart TVs had software that was out of date and could be hijacked.
“The most common devices we saw were cameras, home entertainment systems, printers, and IP phones. Many of the devices we observed were still using plain-text HTTP protocol for authentication as well as firmware updates, which makes their communication vulnerable to sniffing and Man-in-The-Middle (MiTM) attacks,” wrote Deepen Desai, director of security research at Zscaler.
“IoT devices present a unique threat, because of their minimal security and their sheer numbers. The Mirai malware has shown us how these devices can wreak widespread havoc through targeted DDoS attacks. But what else do we need to know about these devices? Are there some that should be banned from the enterprise? What do we tell employees who are bringing them from home,” Desai wrote.
The types of flaws uncovered include IoT devices communicating over plain-text HTTP, insecure firmware updates, leakage of device data and user credentials, and use of default user and device authenticaion credentials.
To protect enterprise networks, Desai recommends that enterprises restrict access to IoT devices as much as they can from external networks and block unnecessary ports from external access. Default credentials should also be never used and changed to something more secure. And, when possible, IoT devices should be managed on an isolated network, with restrictions on both inbound and outbound network traffic, he advises. Finally enterprises should apply regular security and firmware updates to IoT devices.
That all sounds reasonable to me, and I’d add that the processes that are already in place to manage configurations and vulnerabilities be extended to IoT devices.
While IoT security has been an increasingly important subject in recent years, the topic jumped to center stage when recent distributed denial-of-service, fueled by approximately 500,000 IoT devices knocked several popular websites offline. These IoT devices were compromised with the Mirai malware, which enabled attackers to weaponized these devices to throw unmanageable levels of traffic at their targets.