lolloj - Fotolia
Shadow IoT poses growing threat to network security
Without policies and a visible inventory of incoming IoT technology, organizations put their network and data at risk from unauthorized access on inherently unsecure devices.
Enterprise leaders implement millions of devices each year to build their IoT deployments, but they're not the only ones who connect to corporate networks. Employees also deploy a staggering number of smart devices in the workplace, with many unsanctioned for use. This trend -- known as shadow IoT -- puts organizations at risk.
Shadow IoT, much like shadow IT, creates a security risk because there is no visibility into the devices by IT and IT security departments, and what can't be seen can't be monitored or protected.
"It poses a serious threat to organizations, as it provides a vector through which malicious traffic can easily run through undetected," said Michela Menting, digital security research director at tech market advisory firm ABI Research.
The use of unsanctioned technology is nothing new for IT and security executives, who have contended for decades with shadow IT. Experts define shadow IT as the implementation and use of hardware and software that has not been authorized or approved by the technology department nor scrutinized by the security team.
Shadow IoT expands the challenge that IT and security leaders face. They must balance support for technology that makes workers' jobs easier and protection against cybersecurity threats.
"It is often quite easy for individuals to add internet-connected devices or networks of devices to corporate networks without IT's knowledge or approval. Typically, users are adding these devices for personal convenience or to help them do their job, without understanding that they are potentially adding risk to the enterprise environment. The vast majority of these devices are not secure by design," said Andrew Howard, CEO at Kudelski Security, a global cybersecurity company.
In IT automation and security firm Infoblox's report What is Lurking on Your Network: Exposing the threat of shadow devices, researchers found the most common types of shadow IoT devices to be fitness trackers; digital assistants, such as Amazon's Alexa; smart TVs; smart kitchen devices, such as connected microwaves; and game consoles, such as Xbox and PlayStation.
Other shadow IoT devices could include wireless printers, wireless thermostats and surveillance cameras, which the facilities department or workers can easily install without IT or security professionals.
Some organizations also find employees connect smart speakers, connected lights and Raspberry Pi hardware. The Raspberry Pi is a small single-board computer that owners can configure to do any number of tasks, said Anthony James, Infoblox's vice president of product marketing.
"It's coming down more to the personal items that people are connecting -- devices that don't require a lot of technical savvy," James added. "All those things that have an IP address, and they've become a big blind spot for a lot of organizations."
How shadow IoT threatens organizations
Smartwatches and connected appliances may seem innocuous, but experts stress that shadow IoT poses a significant risk to organizations.
A top concern is the frequent lack of embedded security in the devices themselves.
"Many IoT devices lack basic security functionalities, whether that is embedded hardware security, or security software due either to low capacity, low computing resources [or] limited battery. This means they can be easily subverted or intercepted," Menting said.
Hackers can use the lack of embedded security as an entry into corporate networks, where privilege escalation gets them more restricted access to more sensitive information.
The vulnerability and the overall increase in the number of IoT devices further entices bad actors' efforts to hack or target devices for botnets and denial-of-service or distributed denial-of-service attacks, Menting said.
This isn't a hypothetical scenario; such attacks already happen. Hackers were able to steal 10 GB of data from a North American casino in 2017 after gaining access to corporate networks via an internet-connected fish aquarium.
Experts expect the number of attacks that target IoT, as well as the sophistication of those attacks, to grow as the number of connected devices climbs. In its 2020 report on IoT in the enterprise, ThreatLabZ, the research division of cloud security organization Zscaler, detailed the rise of both shadow IoT as well as the attack risk. Blocked malware attempts were at 14,000 a month in early 2020, up from 2,000 pieces of IoT-based malware in May 2019 -- a seven-fold increase in less than a year.
Andrew HowardCEO, Kudelski Security
Guarding against the threats of shadow IoT
IT and security leaders aren't powerless against shadow IoT or the hackers who target connected devices. Experts recommend that organizations control the risk that unsanctioned devices pose with policies for people, processes and technology to follow.
"Visibility is the first step for either prevention or remediation of a shadow IoT problem. Organizations must understand what devices are connected to their networks before they can effectively address the challenge," Howard said.
Enterprise IT and security leaders must determine what policies should govern devices connecting to the organization's networks. They also should create an inventory of devices connected to the network by using technologies such as IP address management tools. Then they can use automation and threat intelligence to enforce policies and guard against hackers.
Organization must build in security and effective management from the start. There are IoT-focused tools on the market that enable visibility and provide context for how much risk a particular IoT device poses, Howard said.
Organizations can develop and apply a policy-based approach to isolate or block unknown IT and IoT devices that attempt to connect to corporate networks. This way, many organizations can approve unknown device connections, but only to a network segment specifically for untrusted devices that has no access to corporate resources.