Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/25/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Report: Shadow IoT Emerging as New Enterprise Security Problem

Much of the traffic egressing enterprise networks are from poorly protected Internet-connected consumer devices, a Zscaler study finds.

When it comes to protecting against Internet of Things (IoT)-based threats, many organizations seem have a lot more to deal with than just the officially sanctioned Internet-connected devices on their networks.

A new analysis by Zscaler of IoT traffic exiting enterprise networks showed a high volume associated with consumer IoT products, including TV set-top boxes, IP cameras, smart watches, smart refrigerators, connected furniture, and automotive multimedia systems.

In some cases, the traffic was generated by employees at work, for instance, checking their nanny cams or accessing media devices or their home security systems over the corporate network. In another instances, consumer-grade IoT devices installed in work facilities, such as smart TVs, generated a lot of the IoT traffic.

Though all IoT devices — authorized and unauthorized — that Zscaler observed used at least some level of encryption, a startling 83% of IoT transactions were happening over plain-text channels, making it vulnerable to eavesdropping, sniffing, and man-in-the-middle attacks.

"We are noticing a big increase in IoT device traffic eggressing the enterprise network," says Deepen Desai, vice president of security research at Zscaler.  

As recently as last May, the volume of IoT traffic generated by Zscaler's enterprise customer base was in the range of 56 million transactions per month. Currently it is around 33 million transactions a day, or roughly 1 billion transactions per month. As a proportion of all Internet transactions that Zscaler processes, the volume of IoT-related traffic is still relatively small but is growing very fast, Zscaler said.

While the traffic increase itself is in keeping with previous predictions about IoT growth, the concern is the number of unauthorized, consumer-oriented shadow-IoT devices that are showing up on enterprise networks, Desai says. Many of these devices have insecure configurations, use default passwords, and present relatively easy targets for attackers. New exploits that target IoT devices are constantly surfacing, and attackers are actively looking to exploit vulnerabilities in connected cameras, DVRs, and home routers, he says.

Zscaler's analysis of some 500 million transactions from more than 2,000 organizations over a two-week period uncovered traffic from a total of 553 unique devices across 21 categories from 212 manufacturers. TV set-top boxes accounted for nearly 30% of the IoT devices that Zscaler discovered across the organizations in its study. Three of the other IoT devices among the top five were consumer products as well — smart TVs, smart watches, and media players.

The top authorized devices that Zscaler discovered in its study — including wireless barcode readers, digital signage media players, medical systems, industrial control devices, and payment terminals — were significantly smaller in number compared to the unauthorized IoT devices. However, and somewhat unsurprisingly, these devices were the ones that generated most of the IoT traffic on the networks.

The situation highlights the need for enterprises to enable greater visibility into IoT traffic on their networks, Desai says. Without knowing what's on their networks, administrators are going to find it very hard to manage the problem.

"Organizations need to understand the risk," Desai says. They need to be able to identify and separate the authorized IoT traffic on the network from the traffic generated by vulnerable and poorly secured consumer device. "If your MRI [machine] is talking back to the Internet, there could be many other devices [doing it] as well," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "SSRF 101: How Server-Side Request Forgery Sneaks Past Your Web Apps."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25252
PUBLISHED: 2021-03-03
Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.
CVE-2021-26813
PUBLISHED: 2021-03-03
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
CVE-2021-27215
PUBLISHED: 2021-03-03
An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the...
CVE-2021-3419
PUBLISHED: 2021-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-15937
PUBLISHED: 2021-03-03
An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.