You’ve heard all about shadow IT, but there’s another shadow lurking on your systems: Internet of Things (IoT) devices.
These smart devices are the IoT in shadow IoT, and they could be maliciously or unintentionally exposing information. Threat actors can use that to access your systems and sensitive data, and wreak havoc upon your company.
A refresher on shadow IT: shadow IT comes from all of the applications and devices your employees use without your knowledge or permission to get their jobs done and handle their work data. Some examples of shadow IT include departments purchasing and installing their own software, users making unauthorized changes to their endpoints and employees using cloud services that aren’t company standard.
Add a few IoT devices into the mix, and your security efforts are suddenly and obviously more vulnerable. However, what’s not as obvious is that the shadow IoT phenomenon can include things like multicolored light bulbs, coffee makers and Bluetooth speakers.
These devices pose new security risks for the enterprise, as IoT is typically not as secure as it should be. In 2021, 12.2 billion devices connected to the internet worldwide, with an expected growth up to 14.4 billion active connections in 2022. If you think none of those devices are shadow devices on your network, think again. According to Infoblox, 35% of U.S., UK and German companies have more than 5,000 shadow devices connected to their network on any given day.
Putting IoT to the test
TikTok personality and security engineer Jose Padilla (@secengineer) knows how to see which devices might be at risk. His frequent TikTok posts test different IoT devices to determine just how risky they are and examine what kind of network traffic the devices are outputting.
“The Mirai botnet was created almost entirely by IoT devices,” he said. “That’s what inspired me to start looking more into what these IoT devices are doing on my network. Of course, I want to use smart things. They’re very convenient. I obviously love technology. But as a security engineer, I always have to second guess these kinds of things.”
Padilla has tested almost two dozen devices and explains that he takes each through a rigorous process that requires at least three or four hours of sifting through logs to establish patterns to see if anything stands out.
A lightbulb moment for IT staff
What surprised Padilla most from his testing is the security issues arising from something as simple as a smart lightbulb. You can watch his video for more detail, but we won’t name the product here.
“It’s such a well-known brand; a premium IoT brand,” he said. “I expected it to go completely smooth and be boring, and it definitely wasn’t boring.”
Padilla explained that the traffic generated from the smart bulb would raise serious red flags for any security team.
Here are the highlights of what he discovered:
- Network traffic was “very, very noisy”
- Used Discovery Protocol to basically look at everything on his network
- Communicated with his Google Home services despite having turned that feature off
- Local LAN traffic was encrypted (this is not common with many smart devices)
- Traffic sent over the internet was not encrypted (also not at all common and a security risk).
What concerned Padilla the most was a vulnerability that, if exploited, could unleash significant damage.
“One of those things that I found was the authentication sessions,” he said. “The authentication sessions are the connection between the company’s cloud servers and the bulb’s smart hub itself. So if you wanted control from the cloud, this is the connection that’s going to do it.”
Risk spreads to other devices
Plus, he had this feature turned off in his tests, but the hub was still connecting to the cloud. All relevant tokens — the single sign-on token, the session token and the authentication token — were transmitting data in the clear.
According to Padilla, a similar bug or vulnerability was found in another of the manufacturer’s products a few years ago, a smart air filter, but was quickly fixed.
“There’s no excuse for IoT devices to send traffic over the Internet unencrypted,” he said. “It’s just opening up more risk. It’s another threat vector, whether it will be easy to exploit or not.”
Another link in the attack chain
While most of the attacks that could be potentially launched against the lightbulb are benign, there are proofs of concept that should raise eyebrows.
“We’ve seen that some light bulbs can have a faster flicker rate, and one potential attack could produce a strobe light effect,” he said. “It could be harmful to anyone that’s photosensitive. But those are more minor in comparison to some of the other attacks or vulnerabilities and proof classes I’ve seen for this lightbulb.”
Padilla explains that security testers were able to upload malicious firmware to the light bulb, and it was not difficult for them to control the light bulb and force an unsuspecting user to connect to a bad bulb. The attack chain would go from the bulb to their phone to the hub.
“The proof of concept demonstrates the kill chain that can happen from just controlling one device,” he said. “It’s not just turning a light on or off; it can go from there to either running code on your phone or the hub and it can get your network to trust those two devices. From there, the sky’s the limit.”
Defending against shadow IoT
Preventing threats resulting from shadow IoT is never easy. After all, shadow IT and shadow IoT are so named because IT teams are in the dark. But, like everything in cybersecurity, good cyber hygiene goes a long way. If your organization is already deploying network segmentation, vulnerability scans, pen tests and patch management, you’re many steps ahead.
“The thing I can advise for organizations wanting to use smart devices is the same thing I suggest for home users: put it on an isolated network and don’t allow it to talk to your main network,” he said. “Treat it as a completely untrusted zone. If the shadow IoT devices are on an isolated network, there should be a safe disconnect.”
It should also come as no surprise that the most basic of security basics should be prioritized.
“The same importance should be applied to patch management,” he said, adding that scanning devices for vulnerabilities via vulnerability assessments and pen tests are also critical.
Finally, for the best protection against shadow IoT, Padilla suggests companies apply principles that align with zero trust.
Whether it’s shadow IT, shadow IoT or other common threats, users will only have access to the resources they need and only to the devices they should have access to. And shouldn’t that be the table stakes for security policy today anyway?