We’re increasingly live in a truly wireless world
We can dim our lights with our voices, unlock our front doors with our phones, and have our refrigerators show us the weather. In our work lives, the rush towards wireless has moved even more quickly. We have ways of working more efficiently, and being more responsive and agile, that didn’t exist even five years ago.
This growth towards instant connection has been driven in part by the Internet of Things (IoT), a wireless, constantly connected, communication between all of our mobile and smart devices, that makes information sharing, collaborative activities, and schedule management instant and easy.
Like any networked resource, the IoT is vulnerable to those who would use it to gain advantage or do harm. As new smart devices enter the market, it seems that news reports of that device being hacked follows within weeks. Examples of the wireless baby monitor left unsecured that suddenly had a strange voice emanate from it or the feeds from security cameras being available for public viewing on the web are those that have recently been in the press. These types of hacks are often done to make mischief, or sometimes to prove a point about how easy the hack was.
If cybercriminals were intent on causing real, lasting damage to an organization by exploiting IoT vulnerabilities, the damages, both financially and to reputations, could be catastrophic. As more and more mobile and smart devices are connected to an organization’s networks, the more the risks increase, and the more holes open up in an otherwise strong defensive wall that had been in place for a wired network. Those who would attack and harm an organization are well aware of these deficiencies and will create attacks engineered specifically to exploit IoT vulnerabilities.
Any Device Is An Attack Surface
The first device we think of when we hear the term “smart” is a mobile phone, but in the IoT, any connected device is liable to be exploited: Printers, building systems, like security or HVAC, even the fridge or the light bulbs can be part of the IoT. Any of these devices can be vulnerable to attack by external agents. A hacker could affect the security system, such as the locks or security cameras, allowing unauthorized persons entry to the building. The HVAC system could be affected causing temperatures that could destroy equipment.
Even less obviously damaging attacks, that can seem like nuisance hacks, can cause great concern for an organization. VOIP phones or smart conferencing can be spied on allowing trade secrets to leak. Network printers that have been taken control of could expose sensitive information. Even something as innocuous as hacking a smart light bulb could allow cybercriminals to capture an organization’s WI-FI information allowing for further intrusion into their network.
By the very nature of an IoT being connected, once a device becomes infected, the threat can spread throughout the entire network, continuing to exploit vulnerabilities, and requiring IT security to attempt to keep up with the infection and limit the damage.
The necessity of security as part of an organization’s IT policy and processes is deeply ingrained in even the most old-fashioned of companies, but there is a curious blind spot when it comes to the IoT. A study commissioned by ForeScout Technologies shows that often organizations are not even aware of the number of connected devices they currently have on their networks (4 of 5 organizations surveyed). The obvious conclusion is that a network can not be secured if they do not know what devices are supposed to be there. Even more surprising was that over half of those surveyed were comfortable with a medium to high risk tolerance when considering the security of their IoT devices.
The very speed by which the IoT is growing contributes to the problem of how to maintain security practices. Often the rush to have the newest device can mean that the process of ensuring they are properly secure is missed. IT staff can simply not notice that one boss has the newest version of their phone, or conversely that another boss has an older version of their phone that hasn’t been updated in a very long time. With so many different devices in one organization it becomes difficult to create and enforce a standard security protocol for each device.
With proper tools, senior leadership buy-in, and strong enforcement of policies, organizations can defend themselves against the threat of IoT attacks, but they first must recognize that the threat exists.