IoT Is Here Whether You Like Them on Your Network or Not

Personal Internet-connected electronics, designed primarily for home use, are rapidly finding their way into the enterprise. From web-enabled streaming video cameras to connected digital picture frames to large commercial refrigerators, it feels as though everything in our lives is now connected to the Internet. Remember when “Shadow IT” wasn’t a thing and the biggest concern we had was that someone would bring in an external modem so that they could remotely connect? Those were the days.

Now we have to worry about what our users are bringing into the office that might connect to the Internet, must connect to the Internet to operate, or may be exploited for malicious data exfiltration. Welcome to the Internet of Things (IoT).

I’ll draw on an example from some research I performed back in January of this year. Shortly after Google announced that they were acquiring Nest, I started poking around to see exactly what the thermostats could communicate with. A quick Google search for nest firewall ports (which is what I commonly append to a product/application term when looking for what ports are used) provided 433,000 results. Phew, that’s a lot. After looking at several pages, the general consensus from Nest users was that port 9543/tcp needed to be allowed through their respective home routers for the product to work. One page provided the FQDN that the Nest thermostat connects to a domain in the format of:

The domain is hosted in Amazon AWS and uses an IP address associated with Amazon’s Elastic Load Balancing (ELB) service, likely to help distribute the load across multiple guest instances. It’s probably safe to assume that Nest is using Amazon’s VPC functionality given the number of devices it has claimed to have sold to date (~1 million according to a Forbes post). Unfortunately, without getting the device-to-server count directly from Nest, I doubt we’ll ever really know the final number. It’s also probably safe to assume that the IP addresses employed by Nest are load balanced (using ELB) to the servers within its VPC network.

This workflow, though somewhat time consuming, would be invaluable data to help decide if I wanted to utilize this device on my home or corporate network.

5 Things to Consider When Evaluating Internet of Things Devices

Before rushing to open unfettered access for an employee’s shiny new toy, here are some tips on how to evaluate IoT devices prior to allowing them on your corporate network:

  1. Create a separate IoT network that allows for Internet access but limits (or blocks) connectivity to internal network systems. Does a digital picture frame need to be on the same network as your HR systems? Probably not. Isolate the non-enterprise devices to their own network.
  2. Design a policy that evaluates new Internet of Things devices prior to allowing them on your network. If a user wants to use their shiny new Internet connected toy at work, ask them to borrow it for an afternoon to research it. The only thing they could say is “no”, at which point you can tell them the device won’t be connected to the network – or the device is relegated to the new IoT network mentioned above.
  3. Read as much online documentation about the specific device as possible. This is likely going to be the most difficult aspect of this testing plan as few IoT vendors detail the ports and protocols required for proper Internet-bound communication. Most simply say “Allow https on your router to the Internet” which, in the enterprise, simply isn’t informative enough. Nor is it smart to allow unfettered access for any Internet-connected system. The ‘principle of least privilege’ must be applied.
  4. As nearly all IoT devices utilize standard SSL to encapsulate their respective data streams (i.e. https) you may want to consider deploying a deep packet inspection (DPI) tool that has the ability to decrypt SSL communications. Alternatively, you may need to deploy separate SSL-decryption technology if your DPI tool lacks the ability. Decrypting SSL may not be necessary to understand how the device operates, but you may find it important if you’re concerned about hidden data leaving the network.
  5. Consider dusting off that old 10/100 hub, connecting the IoT device to a test network, and running a packet capture tool against its communications to understand how the device works. Though somewhat time-consuming, this approach allows for a deep understanding of how new IoT devices will work on your network. I recommend using something as simple as tcpdump, tshark, or Wireshark for the visually inclined. Also, keep a sample of the traffic in case you need to revisit the communications requirements during an incident response or forensic exercise.

Hopefully these tips will help you think about evaluating IoT devices in the enterprise. Consumer devices are coming, whether you like them on your network or not. How you handle their deployment, however, is entirely up to you.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read