Internet of Things (IoT) devices are proliferating into unanticipated areas of businesses and personal lives. The explosion of IoT devices follows the familiar pattern of the bring-your-own-device (BYOD) movement, which has infiltrated the same spaces. What differentiates the two categories is the number of items and the cost of individual devices. But while the differences are substantial, IT can learn from its experience securing the BYOD population.

Threats Hidden in Plain Sight

The introduction of BYOD into the enterprise may have been unauthorized, but the products were typically not hidden. The smartphones, smart watches and other intelligent devices were generally used in plain sight, but the risks they posed included allowing unauthorized and unsecured access to enterprise systems through personal devices that were being used for work purposes. The fact that enterprise-level products could be put into service without IT oversight or proper security precautions took analysts by surprise. It also generated a rush to create software and services that could be installed on user-owned units and in enterprise infrastructure to reduce the threats they posed.

Similarly, these new smart products carry a variety of robust technical capabilities, such as communication and data transfer. They are also arriving without IT authorization or vetting. This time, however, they are not in plain sight: In many cases, the IoT components are embedded as part of some larger product. Most importantly, like BYOD, IoT devices notoriously lack security.

The Internet of Everything

IoT devices are often small and inexpensive components that add smart capabilities to the products that host them. Consumer products such as thermostats, smart TVs and refrigerators benefit from communications, sensor reading, and video and sound recording. In the enterprise, IoT devices such as copy machines, HVAC systems, VoIP phone systems and intelligent subsystems can be breached in under three minutes, according to a ForeScout report.

Unlike BYOD devices, which are comparatively fewer in number and generally costlier, IoT devices number in the billions and often cost just a few dollars. Manufacturers have little incentive to enable security measures in each device. Even if they did, standards for IoT security implementation have yet to be ratified.

Securing IoT Devices

You should assume that smart products currently exist in your enterprise. Here are the most important steps to take to manage and secure these devices.

  • Identify which devices have communication capabilities. If a device connects to your network and sends alerts, communicates with its manufacturer for warranty updates or provides any other indication that it is using its network connection to reach outside the enterprise, add it to your list of enabled systems.
  • Connect devices to your network only if there is a demonstrable benefit. If a device can function properly without a network connection or if its connection only provides marginal utility, disconnect it and test its functionality. Before reconnecting, ask the manufacturer how the product is intended to communicate and what measures have been taken to secure it.
  • Create a separate network specifically for smart device connections.
  • Disable Universal Plug and Play (UPnP). Do not allow automatic discovery and connection for networked devices. Make certain that any devices that request network access are reviewed for security and connected to the proper network segment.
  • Update firmware where possible. Contact manufacturers for updates to their firmware and ask about procedures they have taken to add security measures to the systems you use.

The population of IoT-enabled systems in the enterprise will continue to grow. IT must act now to establish procedures to evaluate the connections and systems currently in use and add appropriate evaluation criteria to standard purchasing procedures for new additions.

Listen to the podcast: The Evolution of Consumer IoT

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read