What’s the Worst that Could Happen to your Enterprise’s IoT Devices?

There are a lot of words that can be used to describe Internet of Things (IoT) devices: interconnected, convenient, and futuristic all come to mind. But perhaps the word that best describes the IoT devices’ market is “growing.” Experts predict there will be approximately 31 billion IoT devices across the globe by 2020 (two short years from now), and approximately 80 billion by 2025.

Yet we’ve written time and time again we’ve written about the endpoint security concerns surrounding the IoT. That so many cybersecurity professionals harbor such fears is not surprising. Only 47% of enterprises believe their enterprise IoT devices are fully secured—34% do not share those beliefs. 10% state they don’t even possess the endpoint security tools to enforce their IoT cybersecurity policies.

But what are the chances of an IoT attack on your enterprise? After all, the most sensational, stranger-than-fiction hacks and attacks on IoT devices seem confined to the consumer realm: talking teddy bears leaking customer data and smart houses being hacked remotely by total strangers, as just a few examples. It must seem far away from the day-to-day concerns of the corporate world.

Really, what’s the worst that could happen to your enterprise because of unsecured IoT devices?  

Well…

Unsecured IoT Devices Open New Cybersecurity Holes

There are two similar issues that make up the larger endpoint security problem with IoT devices: legacy devices often have no endpoint security at all, and newer devices are manufactured with convenience and profit prioritized above security. Hackers can easily bypass the rudimentary out-of-the-box endpoint security IoT devices come with—most run on Linux and can be hacked by the same techniques used to hack Linux endpoints.  

In both cases, IoT devices are not designed or configured for cybersecurity monitoring—they often have low visibility compared to other endpoints—so evaluating their endpoint security platforms for relevance and updating them can be a headache for IT security teams.

This means that the IoT devices can easily become glaring security holes in your enterprise’s network. Hackers can and will take advantage of these holes to wreak havoc on your network in creative ways:

• Cybercriminals can spoof IoT devices’ WiFi connection to directly access your network, bypassing your endpoint security systems.
• IoT devices may not check SSL certificates, allowing for “man-in-the-middle” attacks. A man-in-the-middle attack occurs when a hacker jumps onto an unsecured IoT device, then uses their position to steal shared data and credentials from other nearby endpoints.
• Unsecured devices on the Internet of Things can allow hackers to install malware, ransomware, or cryptocurrency mining codes on your network. Furthermore, because of their low visibility, these threats can have a prolonged dwell time as they operate unnoticed.
• IoT devices can be a subtle route of hackers to steal your enterprises’ data. A North American casino learned this first-hand when they learned hackers had stolen gigabytes of their data via an IoT-connected fish tank.

IoT Devices Could Be Spying on Your Enterprise

Cybersecurity experts are divided on the likelihood of hackers actually using your enterprise’s IoT devices to spy on you directly. But the precedent certainly exists. As just one example,  Amazon’s Echo is always listening even when not spoken to, and in at least one case has supplied investigators with recorded auditory data of a crime. Smart televisions have been used by nation-states to visually spy on targets, as another example.  

Whether hackers are spying on your enterprise or not via your IoT devices, it definitely represents a worst case scenario for your enterprise. Imagine having a phone call near an Amazon Echo about proprietary data and someone else taking notes. Or discussing company credit cards while a wireless microphone records the entire conversation. It’s a nightmare scenario, but one that is becoming increasingly plausible.

Your Enterprise Could Be Part of a Botnet

We’ve written before that a botnet is a network of devices that each is running an automated task (bot), in this case unwillingly. Hackers can use botnets to coordinate attacks, thefts, spam, bitcoin mining, and access-cracking to much more devastating effect than an individual bot, like a DDoS attack. And a botnet can’t be cured easily: each infection point must be cleansed individually.

Think of all the IoT devices in your enterprise. Now think of all those devices at once turning against you, overwhelming your servers and crippling your operations. These DDoS attacks can take down your enterprise’s network, costing you (potentially) millions in downtime, lost revenue, and a potentially tarnished reputation. The devastation of a DDoS attack stemming from IoT devices cannot be overstated. The Mirai botnet attack took down large swathes of the Internet not too long ago.   

Why Does this Endpoint Security Hole Persist?

Often because the IoT remains forgotten more often than not. Merely changing the password and default user settings on your enterprises’ IoT devices isn’t enough. When considering an endpoint security solution for your enterprise, see how they protect IoT devices and whether those protections are sufficient for your enterprise.

Remember: the IoT revolution means that more devices entering your network will have these vulnerabilities. The time to prepare and secure is now.