Organizations of all types are facing an emerging security threat in the internet of things — a security threat they have yet to come to grips with. The rapid adoption of connected devices, like webcams, printers, smart watches, HVAC systems, headsets, medical devices and others, has led to a dramatic rise of devices being brought into corporate environments. In fact, Gartner estimates that as many as 8.4 billion devices are now in use. These devices connect employees and access and share critical business information. Unfortunately, companies can’t see or protect the majority of these new IoT devices in and around their businesses. This is the IoT security blind spot. In fact, our research shows companies can’t see 40% of the devices in their organization.
The design and function of IoT devices themselves also pose unique security challenges. There are three core challenges to protecting these new connected IoT devices. First, unlike desktops and laptops, this new wave of smart, connected devices doesn’t get the typical IT treatment, with supervised access control, antivirus and intrusion prevention software. Second, they use new connectivity protocols, such as Wi-Fi, Bluetooth, Zigbee and others, that are not addressed by traditional security systems, reinforcing the IoT security blind spot. Third, it’s impossible, or at least very impractical, to patch most IoT devices. In many instances, no patches or method for a patch/update even exist. If patches are available, they can take months to be released, and updating the devices is not easy as we experience with our smartphones. The result is billions of devices running antiquated operating systems and modules with documented but unpatched vulnerabilities.
Keep in mind, these devices are built to be accessible and always on, with minimal user maintenance. They are network-capable by default and designed to continually seek out connections, which means they are easy prey for attackers looking for a way into a corporate network. Each of these new devices is the new endpoint, with the ability to reach sensitive corporate data and resources, but without the capability of being secured like a conventional endpoint is.
Taken together, these issues present a near perfect storm of risk — devices that are accessible, vulnerable and unprotected. Enterprises are just now confronting the reality of how to protect themselves.
We’re seeing more vulnerabilities specifically impacting IoT devices, too. Over the last year, there’s been a significant rise in airborne threats targeting IoT devices and using wireless networks. These include Reaper, aka IoTroop, which has infected more than a million IoT devices; the KRACK Wi-Fi encryption vulnerability; the Mirai botnet that took down much of the internet a year ago; and BlueBorne, the critical Bluetooth vulnerability our researchers discovered earlier this year impacting more than 5 billion devices. With attacks and threats like these growing combined with IoT device adoption continuing to scale fast, enterprises are at a critical inflection point. If they don’t address these threats now, more devices will be deployed that aren’t protected and more attacks will be launched with devastating impacts on businesses.
So what can we do?
Protecting connected devices requires a new approach, one that clearly does not require an agent to be installed. That approach won’t work on these new devices. The new approach also needs to identify any device in a company — wired or wireless, on or off the corporate network. It needs to see the real behavior of this device — not just the type of device, but what it is doing and what devices or networks it is trying to connect to. And lastly, it has to be able to sanction devices, letting well-behaving devices access systems and denying access to devices acting suspiciously or improperly.
We’re at a turning point in the development and deployment of IoT devices. The attacks, exploits and vulnerabilities that use the wireless networks the devices use are only going to get worse. Now is the time for a new approach to address this problem. The IoT age can only deliver on the promise of better efficiency, convenience and insights if we ensure that data, devices and networks that rely on it are secure.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.