How shadow IoT threatens enterprise network security

The rise of "bring your own device" culture within enterprise environments has created new opportunities to boost employee productivity and morale, yet it has also introduced a slew of security risks that many IT departments are unprepared for. With more companies opening their networks to personal devices each day, it's never been more important to assess the threats posed by unsecured endpoints. According to a study from Tech Pro Research, BYOD is utilized by roughly 59 percent of the organizations it surveyed, with an additional 13 percent planning to roll out policies in the near future. The trend is most prevalent in the manufacturing and education sectors, with small companies more likely to allow personal device use compared to larger organizations.

These findings are backed up by research from the software company, Syntonic, which found that six out of 10 enterprises already have a BYOD-friendly policy in place — what's more, around 87 percent of companies depend on employees who use personal devices to access key business apps. The growing reliance on BYOD norms doesn't end with laptops and smartphones, however, as companies have also seen a surge in wearable devices and IoT appliances connecting to their internal networks. In 2018, Infoblox released a report on "shadow IoT" devices that identified several unconventional pieces of hardware that have become common fixtures in enterprise environments, including:

• Personal fitness trackers
• Smart kitchen appliances
• Digital voice assistants
• Video game consoles
• Smart TVs

Infoblox's research also discovered that close to 35 percent of companies in the U.S., U.K. and Germany have more than 5,000 personal devices connecting to their networks each day, though their individual uses are anything but uniform. The study uncovered that 39 percent of U.S. and U.K. employees regularly connect to enterprise networks to download apps, games and films. These activities may seem harmless on the surface, yet they hold the potential to expose organizations to a number of cyber threats, such as social engineering hacks, phishing scams and malware injections. But before IT administrators can take action, it's important to first understand the full scope of the issue.

Personal devices lack the security oversight that IT administrators rely on.

What is shadow IoT?
According to a March 2019 article from CSO, shadow IoT refers to "internet of things devices or sensors in active use within an organization without IT's knowledge." As connected technologies and embedded devices have grown increasingly popular, IT teams have struggled to keep a firm grip on all of the endpoints connecting to their Wi-Fi networks. Everything from personal speakers to coffee machines may be outfitted with IoT capabilities, and many lack the enterprise-grade security features that companies usually rely on. While mobile device management software has helped IT administrators keep track of smartphones, tablets and laptops, most applications do not have intuitive security controls for appliances. Additionally, IoT-enabled kitchenware, voice assistants and smart TVs possess default credentials (usernames and passwords) supplied by the device manufacturer that must be manually updated by on-site IT security personnel to prevent unauthorized users from gaining access to the company's network.

One issue is that cybercriminals can easily locate unsecured endpoints by utilizing online search engines like Shodan, which seeks out internet-connected devices and provides detailed information on their banner information, FTP, HTTP and SSH services. Once they've been identified, hackers can exploit the security vulnerabilities in these devices to target enterprise networks with data theft operations, malware injections and ransomware attacks. But IoT toasters and smoothie machines aren't the only threats IT managers should be concerned about.

Vulnerable mobile apps are another weak point for personal IoT hardware, as researchers from the University of Michigan and Brazil's Federal University of Pernambuco discovered in a joint study on surface vulnerabilities of smart devices. The report looked at 32 apps that are commonly used to configure and manage the 96 best selling Wi-Fi and Bluetooth-enabled devices on Amazon, finding that 31 percent of the evaluated apps had no encryption process whatsoever, while another 19 percent possessed hard-coded encryption keys that were easy to reverse engineer. Companies and enterprise users that utilize these apps extend the attack vector of their network for would-be hackers, prioritizing the need for consistent and reliable security protocols moving forward.

How to mitigate shadow IoT security threats
The best way to ward off potential security breaches is to develop clear policies to govern what devices can and cannot access an enterprise network. However, internal regulations alone are not an adequate solution to the problem, as IT administrators are not omnipotent in their role as administrators. IoT device manufacturers do not follow any standardized practices for securing the hardware they develop, making it difficult to address the underlying firmware vulnerabilities. Security-minded companies increasingly rely on dependable networking tools that serve as a last line of defense for cybercriminals, such as fiber media converters and serial console servers.

Perle offers industry-grade connectivity tools that can help companies stay on top of their mission critical operations. Read some of our customer stories to find out how we've helped other companies improve their infrastructure and stay secure when it mattered most.