<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

What is IoT and What Security Concerns Does it Bring to the Workplace?

Posted: 06 February 2019

What is IoT (Internet of Things) and What Security Concerns Does it Bring to the Workplace?

From smart automated homes to WiFi enabled children's toys, this Christmas was a bounty for manufacturers of gadgets and gizmos offering internet connected functionality. Otherwise known as IoT or the Internet of Things.

But, what exactly is IoT and what concerns does it bring to companies and organisations who adopt such technology?

What is IoT?

The term internet of things, or IoT, has come to describe any device, outside of a smartphone, laptop or PC, which has internet connectivity to further enhance its functionality.

For example, most TVs are now shipped with WiFi cards, allowing them to play back internet-based TV catch-up services or access website content such as social media.

More recently, home automation solutions such as Amazon Alexa and Google Home have created an explosion of devices such as internet enabled light bulbs and power outlets. All controllable via voice commands or smartphone apps, with the bridge between them being the internet.

Like anything, there is a sting in the tail.

IoT devices have come under fire from security experts who have demonstrated on numerous occasions, with various types of devices, that the security applied leaves a lot to be desired. One of the best examples being internet connected cars which have been taken over by hackers and controlled remotely.

[Have you also read "5 Tips to Protect Critical Infrastructure in the Age of IoT"?]

For a long time, these problems have been restricted to the private home. But now that IoT devices are ever increasingly entering the workplace, what risks do they pose?

1. Lack of Security Updates

As a security consultant, I have noticed an increasing number of IoT devices being adopted by businesses, such as remotely controllable CCTV cameras or smart-heating systems.

What is very rarely considered is that the manufacturers of such devices are more commonly specialists in their area but new to IT security. This immaturity means that there is very rarely any device update cycles, instead R&D is focused on new product releases instead.

The result is that any vulnerabilities which appear in their previous solutions are ignored and remain vulnerable out in the wild. Imagine installing a new server operating system and never applying a single patch.

I myself heard a humorous but worrying story recently, whereby a hotel with IoT TVs in their meeting rooms, witnessed undesirable content being played on them from an unknown source during meetings.

2. IoT Devices Have Become Targets of Botnets

One of the biggest IoT stories of the past few years have been the use of hacked IoT devices to create huge botnets, for the purpose of DDoS (Denial of Service) attacks.

Mirai, being the most famous of these was a malware based attack which gathered up hundreds of thousands on internet connected routers and security cameras, to launch DDoS attacks at various targets across the internet.

[You might also be interested to read "DDoS gets Super-Charged with a Dose of IoT"]

Some of these attacks were recorded as the largest such attacks having ever been detected, at the time.

To make it worse, the code used in the Mirai attack was published online, allowing anyone with the know-how to replicate the attack.

Such examples are of course disruptive, but not usually to the company hosting the IoT device. However the ability to disrupt internal devices or even hop to another device in the network, is feasible.

3. Non-Compliant Data Storage

Third on the list of concerns for IoT devices in the workplace is non-compliant data storage platforms. Some IoT devices have their own internal storage, sometimes permanent or other times for buffering or caching.

Very few IoT devices have encrypted storage or any kind of storage protection built in, unlike more security focused operating systems, servers or network devices. The concern is that by storing potentially sensitive content collected in the workplace on a vulnerable device, it creates a heightened risk of data breach.

[You should also check out "3 Worst Data Breaches from 2018 & How to Avoid Them"]

For example, imagine a business purchases some internet-connected CCTV cameras which transfer video files to a protected file share hosted in the companies network; it moves the files to the server each time they get to 100MB in size.

Once on the server, the files are protected by the solutions and techniques used by the IT and IT security teams, honed over years of experience. Meanwhile, files which have not grown to 100MB are left vulnerable on the IoT device, employing very few security features, if any.

How much effort would it take to use a Mirai type exploit to capture those files?

In fact, there have been numerous high profile webcam and CCTV camera hacks which have permitted unauthorised parties to view a live video from vulnerable devices.

Radware Mirai Infographic Top 10 IoT Botnet

Chris Payne on behalf of Infinigate UK
Posted by: Chris Payne
on behalf of Infinigate UK
Share via:
    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts