Research finds consumer-grade IoT devices showing up... on corporate networks
Considering the slack security of such kit, it's a perfect storm
Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.
According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."
The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.
Smart lightbulbs, heart rate monitors, gym equipment, coffee machines, and even smart pet feeders were all found on corporate networks during 2021, Palo Alto Networks said. Such devices are infamously poorly secured – but in the COVID-19 work-from-home era, such devices being adjacent to corporate networks presents a problem for blue teams.
"Remote workers need to be aware that IoT devices could be compromised and used to move laterally to access their work devices if they're both using the same home router, which in turn could allow attackers to move onto corporate systems," said Palo Alto.
Poor IoT device security stems mainly from manufacturers' desire to keep price points low, cutting security out as an unnecessary overhead.
This approach inadvertently exposed large numbers of easily pwned devices to the wider internet – causing such a headache that governments around the world are now preparing to mandate better IoT security standards.
Even IoT trade groups have woken up to the threat, albeit perhaps the threat of regulation rather than the security threat, but if that's what it takes, the outcome is no bad thing.
- Mobile app security standard for IoT, VPNs proposed by group backed by Big Tech
- So you're doing an IoT project. Cute. Let's start with the basics: Security
- IoT security? We've heard of it, says UK.gov waving new regs
- The Internet of Things is a security nightmare, latest real-world analysis reveals: Unencrypted traffic, network crossover, vulnerable OSes
Half of respondents said they worried about attacks against their industrial IoT devices, with 46 per cent being similarly worried about connected cameras being compromised. Smart cameras are a tried-and-trusted compromise method for miscreants – and some vendors are better at securing their gear than others, as past incidents have shown.
More than a third (37 per cent) of respondents to Palo Alto's latest survey said they were worried about connected home devices being breached. Perhaps in light of today's findings that number might increase a little. ®