From smart automated homes to WiFi enabled children's toys, this Christmas was a bounty for manufacturers of gadgets and gizmos offering internet connected functionality. Otherwise known as IoT or the Internet of Things.
But, what exactly is IoT and what concerns does it bring to companies and organisations who adopt such technology?
What is IoT?
The term internet of things, or IoT, has come to describe any device, outside of a smartphone, laptop or PC, which has internet connectivity to further enhance its functionality.
For example, most TVs are now shipped with WiFi cards, allowing them to play back internet-based TV catch-up services or access website content such as social media.
More recently, home automation solutions such as Amazon Alexa and Google Home have created an explosion of devices such as internet enabled light bulbs and power outlets. All controllable via voice commands or smartphone apps, with the bridge between them being the internet.
Like anything, there is a sting in the tail.
IoT devices have come under fire from security experts who have demonstrated on numerous occasions, with various types of devices, that the security applied leaves a lot to be desired. One of the best examples being internet connected cars which have been taken over by hackers and controlled remotely.
[Have you also read "5 Tips to Protect Critical Infrastructure in the Age of IoT"?]
For a long time, these problems have been restricted to the private home. But now that IoT devices are ever increasingly entering the workplace, what risks do they pose?
1. Lack of Security Updates
As a security consultant, I have noticed an increasing number of IoT devices being adopted by businesses, such as remotely controllable CCTV cameras or smart-heating systems.
What is very rarely considered is that the manufacturers of such devices are more commonly specialists in their area but new to IT security. This immaturity means that there is very rarely any device update cycles, instead R&D is focused on new product releases instead.
The result is that any vulnerabilities which appear in their previous solutions are ignored and remain vulnerable out in the wild. Imagine installing a new server operating system and never applying a single patch.
I myself heard a humorous but worrying story recently, whereby a hotel with IoT TVs in their meeting rooms, witnessed undesirable content being played on them from an unknown source during meetings.
2. IoT Devices Have Become Targets of Botnets
One of the biggest IoT stories of the past few years have been the use of hacked IoT devices to create huge botnets, for the purpose of DDoS (Denial of Service) attacks.
Mirai, being the most famous of these was a malware based attack which gathered up hundreds of thousands on internet connected routers and security cameras, to launch DDoS attacks at various targets across the internet.
[You might also be interested to read "DDoS gets Super-Charged with a Dose of IoT"]
Some of these attacks were recorded as the largest such attacks having ever been detected, at the time.
To make it worse, the code used in the Mirai attack was published online, allowing anyone with the know-how to replicate the attack.
Such examples are of course disruptive, but not usually to the company hosting the IoT device. However the ability to disrupt internal devices or even hop to another device in the network, is feasible.
3. Non-Compliant Data Storage
Third on the list of concerns for IoT devices in the workplace is non-compliant data storage platforms. Some IoT devices have their own internal storage, sometimes permanent or other times for buffering or caching.
Very few IoT devices have encrypted storage or any kind of storage protection built in, unlike more security focused operating systems, servers or network devices. The concern is that by storing potentially sensitive content collected in the workplace on a vulnerable device, it creates a heightened risk of data breach.
[You should also check out "3 Worst Data Breaches from 2018 & How to Avoid Them"]
For example, imagine a business purchases some internet-connected CCTV cameras which transfer video files to a protected file share hosted in the companies network; it moves the files to the server each time they get to 100MB in size.
Once on the server, the files are protected by the solutions and techniques used by the IT and IT security teams, honed over years of experience. Meanwhile, files which have not grown to 100MB are left vulnerable on the IoT device, employing very few security features, if any.
How much effort would it take to use a Mirai type exploit to capture those files?
In fact, there have been numerous high profile webcam and CCTV camera hacks which have permitted unauthorised parties to view a live video from vulnerable devices.