Report: Shadow IoT Emerging as New Enterprise Security Problem
Much of the traffic egressing enterprise networks are from poorly protected Internet-connected consumer devices, a Zscaler study finds.
February 25, 2020
When it comes to protecting against Internet of Things (IoT)-based threats, many organizations seem have a lot more to deal with than just the officially sanctioned Internet-connected devices on their networks.
A new analysis by Zscaler of IoT traffic exiting enterprise networks showed a high volume associated with consumer IoT products, including TV set-top boxes, IP cameras, smart watches, smart refrigerators, connected furniture, and automotive multimedia systems.
In some cases, the traffic was generated by employees at work, for instance, checking their nanny cams or accessing media devices or their home security systems over the corporate network. In another instances, consumer-grade IoT devices installed in work facilities, such as smart TVs, generated a lot of the IoT traffic.
Though all IoT devices — authorized and unauthorized — that Zscaler observed used at least some level of encryption, a startling 83% of IoT transactions were happening over plain-text channels, making it vulnerable to eavesdropping, sniffing, and man-in-the-middle attacks.
"We are noticing a big increase in IoT device traffic eggressing the enterprise network," says Deepen Desai, vice president of security research at Zscaler.
As recently as last May, the volume of IoT traffic generated by Zscaler's enterprise customer base was in the range of 56 million transactions per month. Currently it is around 33 million transactions a day, or roughly 1 billion transactions per month. As a proportion of all Internet transactions that Zscaler processes, the volume of IoT-related traffic is still relatively small but is growing very fast, Zscaler said.
While the traffic increase itself is in keeping with previous predictions about IoT growth, the concern is the number of unauthorized, consumer-oriented shadow-IoT devices that are showing up on enterprise networks, Desai says. Many of these devices have insecure configurations, use default passwords, and present relatively easy targets for attackers. New exploits that target IoT devices are constantly surfacing, and attackers are actively looking to exploit vulnerabilities in connected cameras, DVRs, and home routers, he says.
Zscaler's analysis of some 500 million transactions from more than 2,000 organizations over a two-week period uncovered traffic from a total of 553 unique devices across 21 categories from 212 manufacturers. TV set-top boxes accounted for nearly 30% of the IoT devices that Zscaler discovered across the organizations in its study. Three of the other IoT devices among the top five were consumer products as well — smart TVs, smart watches, and media players.
The top authorized devices that Zscaler discovered in its study — including wireless barcode readers, digital signage media players, medical systems, industrial control devices, and payment terminals — were significantly smaller in number compared to the unauthorized IoT devices. However, and somewhat unsurprisingly, these devices were the ones that generated most of the IoT traffic on the networks.
The situation highlights the need for enterprises to enable greater visibility into IoT traffic on their networks, Desai says. Without knowing what's on their networks, administrators are going to find it very hard to manage the problem.
"Organizations need to understand the risk," Desai says. They need to be able to identify and separate the authorized IoT traffic on the network from the traffic generated by vulnerable and poorly secured consumer device. "If your MRI [machine] is talking back to the Internet, there could be many other devices [doing it] as well," he says.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps."
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024