IoT Is Here Whether You Like Them on Your Network or Not

Personal Internet-connected electronics, designed primarily for home use, are rapidly finding their way into the enterprise. From web-enabled streaming video cameras to connected digital picture frames to large commercial refrigerators, it feels as though everything in our lives is now connected to the Internet. Remember when “Shadow IT” wasn’t a thing and the biggest concern we had was that someone would bring in an external modem so that they could remotely connect? Those were the days.

Now we have to worry about what our users are bringing into the office that might connect to the Internet, must connect to the Internet to operate, or may be exploited for malicious data exfiltration. Welcome to the Internet of Things (IoT).

I’ll draw on an example from some research I performed back in January of this year. Shortly after Google announced that they were acquiring Nest, I started poking around to see exactly what the thermostats could communicate with. A quick Google search for nest firewall ports (which is what I commonly append to a product/application term when looking for what ports are used) provided 433,000 results. Phew, that’s a lot. After looking at several pages, the general consensus from Nest users was that port 9543/tcp needed to be allowed through their respective home routers for the product to work. One page provided the FQDN that the Nest thermostat connects to a domain in the format of:

The domain is hosted in Amazon AWS and uses an IP address associated with Amazon’s Elastic Load Balancing (ELB) service, likely to help distribute the load across multiple guest instances. It’s probably safe to assume that Nest is using Amazon’s VPC functionality given the number of devices it has claimed to have sold to date (~1 million according to a Forbes post). Unfortunately, without getting the device-to-server count directly from Nest, I doubt we’ll ever really know the final number. It’s also probably safe to assume that the IP addresses employed by Nest are load balanced (using ELB) to the servers within its VPC network.

This workflow, though somewhat time consuming, would be invaluable data to help decide if I wanted to utilize this device on my home or corporate network.

5 Things to Consider When Evaluating Internet of Things Devices

Before rushing to open unfettered access for an employee’s shiny new toy, here are some tips on how to evaluate IoT devices prior to allowing them on your corporate network:

  1. Create a separate IoT network that allows for Internet access but limits (or blocks) connectivity to internal network systems. Does a digital picture frame need to be on the same network as your HR systems? Probably not. Isolate the non-enterprise devices to their own network.
  2. Design a policy that evaluates new Internet of Things devices prior to allowing them on your network. If a user wants to use their shiny new Internet connected toy at work, ask them to borrow it for an afternoon to research it. The only thing they could say is “no”, at which point you can tell them the device won’t be connected to the network – or the device is relegated to the new IoT network mentioned above.
  3. Read as much online documentation about the specific device as possible. This is likely going to be the most difficult aspect of this testing plan as few IoT vendors detail the ports and protocols required for proper Internet-bound communication. Most simply say “Allow https on your router to the Internet” which, in the enterprise, simply isn’t informative enough. Nor is it smart to allow unfettered access for any Internet-connected system. The ‘principle of least privilege’ must be applied.
  4. As nearly all IoT devices utilize standard SSL to encapsulate their respective data streams (i.e. https) you may want to consider deploying a deep packet inspection (DPI) tool that has the ability to decrypt SSL communications. Alternatively, you may need to deploy separate SSL-decryption technology if your DPI tool lacks the ability. Decrypting SSL may not be necessary to understand how the device operates, but you may find it important if you’re concerned about hidden data leaving the network.
  5. Consider dusting off that old 10/100 hub, connecting the IoT device to a test network, and running a packet capture tool against its communications to understand how the device works. Though somewhat time-consuming, this approach allows for a deep understanding of how new IoT devices will work on your network. I recommend using something as simple as tcpdump, tshark, or Wireshark for the visually inclined. Also, keep a sample of the traffic in case you need to revisit the communications requirements during an incident response or forensic exercise.

Hopefully these tips will help you think about evaluating IoT devices in the enterprise. Consumer devices are coming, whether you like them on your network or not. How you handle their deployment, however, is entirely up to you.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today