Are IoT Devices Putting Your Organization at Risk?

Credit: LeoWolfert/Shutterstock

In the offices of today’s small and midsize business, you might find a vast array of smart devices, such as printers, cameras, utility sensors and door locks, all of which can communicate with other devices through wireless connections. Even the staff break room is beginning to benefit from next-generation technologies, such as smart refrigerators and smart coffee makers.

Although the internet of things (IoT) has ushered in a wealth of efficiency through connectivity, it has also created millions of new attack surfaces due to weak security design or administrative practices. Not only have devices themselves been attacked and compromised, hackers have used the devices collectively in botnets to launch distributed denial-of-service (DDoS) attacks against websites and company networks. The Krebs on Security website, for example, sustained one of the most powerful attacks to date, in which the Mirai malware “zombie-ized” a bevy of IoT devices connected to the internet that were running factory-default usernames and passwords. 

Many IoT devices weren’t designed with strong, configurable security. Some devices have a hard-coded password that can’t be changed without a firmware update, which may not be available because the vendor simply hasn’t created it or the product is no longer supported. Another potential problem is malware infection of apps that control IoT devices.

David Britton, vice president of industry solutions, fraud and identity at Experian, warns that Universal Plug and Play (UPnP) is a related concern, especially regarding wireless routers.

“Several routers support this auto-connecting capability, and some have UPnP enabled by default,” Britton said. “UPnP allows devices to immediately recognize and connect to a network, and even establish communications with other devices on the network without any human intervention or configuration. The challenge from a security perspective is that there is reduced visibility or control to the administrator as to when those devices come online, or what security permissions they may be invoking.”

Britton also points out that the diverse set of technologies and connection protocols used by IoT devices, such as Wi-Fi, Bluetooth, RFID and ZigBee, present an additional layer of complexity. Each type of connectivity comes with different levels of security and different administrative tools. For small shops that don’t have in-house tech support, trying to stay on top of it all is difficult at best, making them even more vulnerable to attack.

So, what’s the solution to the IoT security debacle?

Johannes Ullrich, dean of research at SANS Technology Institute, says that “organizations need to start by controlling the acquisition and inventorying of IoT devices.” In his SANS Internet Storm Center article, Ullrich details pertinent questions to ask vendors during the product evaluation phase, regarding things like how long the vendor plans to release security updates and how the vendor implements encryption.

Britton thinks a comprehensive inventory is important too, stating that it should track firmware versions, date of last update, ports used by IoT devices and the last date when passwords were updated, among other items. He also recommends setting a recurring task in your calendar to update, modify and verify the end of life for IoT devices, to avoid security vulnerabilities inherent in legacy devices.

Both Ullrich and Britton believe it’s critical to change the default password on each IoT device before connecting it to a network. A device lacking adequate security can open a door into your network, which a hacker can exploit in seconds and move on to access other connected devices.

They recommend enabling strong security across all Wi-Fi networks, which involves things like enforcing strong router and network passwords, using encryption, and limiting network access (from the internet whenever possible) via a firewall. For wireless routers, Britton says to disable the UPnP configuration on the router to avoid any unwanted device connections. If an IoT device supports two-factor authentication, take advantage of it. This may be as simple as getting a code that must be entered when you log in to the device, which adds another layer of protection.

Our sources also advised being vigilant in managing installed applications. Download applications only from reputable providers or those created by trusted entities, and run up-to-date anti-malware software on IoT devices or those used to configure IoT devices.

Finally, make alerts and notifications, and testing and verification, part of your best practices checklist. Ullrich recommends signing up with each vendor to be notified when patches are released, and putting systems in place that alert you if an unauthorized device is connected to your network. On the testing front, be sure to test devices that connect to a vendor’s cloud services to ensure they’re protecting data sufficiently. Find out how the device authenticates to the vendor’s systems and if the data is properly encrypted – it should use the Transport Layer Security (TLS) protocol for transmissions.

For more cybersecurity tips, visit our Business News Daily guide.