If industry analysts are to be believed, the expanding ecosystem of connected smart devices that will soon make up the Internet of Things is expected to go supernova in the next few years. Research firm IDC predicts there will be over 28 billion IoT devices installed by 2020, estimating its value at $1.9 trillion.
But in 2015, we already have around 9 billion of those devices online. Everything from printers, 3D printers, routers and point of sale systems, to wearable devices, smart meters and smart control systems are being switched on in homes and enterprises. According to a large scale study conducted by Atomik Research and cyber threat firm Tripwire, employed consumers working from home have an average of 11 IoT devices on their home networks, and nearly one in four have already connected at least one IoT device to their enterprise network.
63% of executives expect that business efficiencies and productivity will force them to accept IoT devices. And while the IoT marketplace is already beginning to be lucrative, it’s clear that all these new devices open up additional attack vectors for enterprise networks.
The potential risks from smartphones, tablets or laptos are relatively well documented and understood, but businesses are not necessarily prepared for or expecting the IoT to present much of a threat from cyber criminals. Only 46% said they thought the risks associated with IoT have the potential to become the most significant risk on their networks. When it came to industrial controllers, only 8% of IT professionals are concerned that they might be a target for cyber crime, even though 88% said they weren’t confident in industrial controllers’ secure configuration. Less than one in four professionals are confident in the secure configuration of common IoT devices already connected to enterprise networks, such as Voice over Internet Protocol (VoIP) phones (21%), sensors for physical security (20%), smart controllers for lights and HVAC (16%).
The reason many enterprises are relatively ‘unconcerned’ about the security of IoT devices, says Chris Conacher, security development manager at Tripwire, is because they misunderstand the risk.
‘They may believe they have ‘solved’ the security problem, when they have not,’ sayd Conacher. ‘Alternatively, they may believe that there is no security problem when there is. Frequently, organisations believe that they have nothing of value that would interest an attacker – this is rarely true.’
‘For attackers there is always something to be gained, and they’re not always looking for data that has financial value. From the theft of information or services that can be used to add a veneer of legitimacy to phishing campaigns or user credentials that can be used to gain access to a connection point from which to attack corporate partners, there is always something of value.’
The study highlights the need to be able to build security and identity into the Internet of Things in a standard way so that IoT devices can be on-boarded into whichever environment is required – home, business or national critical infrastructure. A plethora of cloud-based solutions unique to each manufacturer, suppler or even device will lead to chaos and insecurity.
‘It’s far more likely that employees will be infected with malware outside the enterprise,’ adds Conacher. ‘Employees routinely use smartphones and tablets on untrusted networks. They download suspicious apps from third-party app stores and then connect to the corporate network over a cheap home router with dubious firmware. The risk of cross contamination from home networks can be very serious unless security controls are enforced. Unfortunately, most people assume that virtual private networks (VPNs) solve all remote connection problems, but this is just not true.’
While consumer-focused IoT devices present minimal direct risk to the enterprise, many of them connect back to a vendor’s infrastructure via the Internet to store user data. Successful attacks against these backend infrastructures provide attackers with user credentials and other information that could enable them to gain a foothold into an employee’s home network.
‘From there it’s entirely possible for an attacker to install keyloggers or other malware designed to steal the user credentials necessary to log into corporate networks,’ Craig Young, security researcher for Tripwire adds. ‘In general, people seriously underestimate how easily attackers can move around inside networks once they gain access.’