By Brian Russell, Co-Chair, CSA IoT Working Group
Within the CSA Internet of Things (IoT) Working Group, we are researching various topics related to securing IoT implementations within an enterprise. One of the more interesting aspects to consider on this subject is the role that consumer IoT devices play in regards to enterprise security.
News of exploits against consumer IoT devices is common, and research into vulnerabilities related to poor development and configuration choices continues. Rapid7 recently published a significant research report on baby monitor exposure and vulnerabilities, which showed that many leading brands are still highly vulnerable. Download their report.
Another interesting aspect of consumer IoT security is the apparent inability to rely upon the consumer to safeguard the underlying network that IoT devices use to communicate. Consumers are often proponents of usability over security, and in the past some consumer IoT device makers have purposefully chosen to value usability over security. This is somewhat understandable, as most people would prefer not to have to configure unique security credentials for each IoT device that operates within their home. Of concern though is that adding new (non-secure) points of connection into the home provides an ability for malicious parties to gain access to other computing resources in the home – potentially leaving sensitive data such as passwords exposed. This is concerning for an enterprise security practitioner because many people choose to use the same passwords to protect both corporate and personal information and application access.
What’s interesting also is that consumer IoT devices do not always stay within the home. A report this year by OpenDNS provided a great deal of data that showed that IoT devices, or the associated applications installed on staff computers, were often found to be communicating with services over the internet from the Corporate network. In some cases, Smart TVs were brought into the enterprise, and these devices were pre-configured to talk with service addresses/ports on the internet. In other cases, fitness trackers were associated with applications that were loaded onto laptops or mobile phones, and then those applications began communication with the manufacturer through the corporate network. Read the OpenDNS report.
At this point, education is likely the best defense against the exposures that consumer IoT devices introduce to the enterprise. Security staff should be educated to identify when inappropriate devices and software is being used on the network, and all staff should be educated on the need to secure their connected home systems as part of a larger effort to keep data secure.
Join the CSA IoT Working Group.
Brian Russell is the Chief Engineer/CyberSecurity for Leidos.