IoT – Are Your Employees Unwittingly Granting Access to Your Entire Network?

img blog IoT Are Your Employees Unwittingly Granting Access to Your Entire Network r1

Recently we wrote an article about the threats that employees introduce to your business when they use their own devices to gain access to your IT Infrastructure. “Infrastructure” includes: hardware, software, networking components, an operating system (OS), and data storage – all of which are used to deliver IT services and solutions. 

By bringing their own devices, the term suggests that employees are deciding to use their own devices to access your company’s infrastructure – with or without your knowledge or consent. But, what if they’re granting access to your entire network without their knowledge or consent?

Impossible? Think again. If employees access anything in your network when they are working from home (where they may have countless smart/IoT devices), or are working elsewhere while wearing an IoT – like a fitness tracking device – they are unwittingly exposing your company’s data to an exponential increase in cyber threats.   

In excerpts from a recent article by ACFE, they wrote, “While most people understand the importance of security when using personal computers and smartphones, far fewer recognize the perils posed by seemingly innocuous WiFi-enabled coffee makers, networked thermostats, and other smart products from the rapidly expanding Internet of Things (IoT).

The Internet of Things is the emerging environment of everyday objects that use embedded sensors to collect and transmit data through the Internet. IoT technology can be used to solve problems, optimize existing technology, and allow more seamless and personalized user experiences. 

Examples of useful IoT applications include wearable fitness devices (e.g., Fitbit), home-automation products (e.g., Nest) and smart parking systems. Unfortunately, the development of IoT technology tends to focus on innovative design rather than privacy or security. IoT devices commonly connect to networks using inadequate security and can be impractical to update when vulnerabilities are found.

As the number of potentially vulnerable smart products increases, so do the opportunities for fraudsters seeking alternate ways into otherwise secure networks. Furthermore, IoT devices often record huge volumes of sensitive data and personal information that must be protected from misuse and cyber criminals.

What Exactly is IoT, and What are the Pros and Cons?

In an article by carritech, they wrote, “Overall it is clear that the Internet of Things is something which will enable the world to do things with greater ease and efficiency than before. Being connected across the world can be a great step towards everyone working together for happier lives. 

That being said, we cannot ignore the threats to security and the environment that come with IoT. At present the market is growing at an exponential rate. Without proper considerations and safeguards we may be causing more damage than good.”

According to excerpts from an article by TechTarget, they wrote, “An IoT ecosystem consists of web-enabled smart devices that use embedded systems, such as processors, sensors and communication hardware, to collect, send and act on data they acquire from their environments. IoT devices share the sensor data they collect by connecting to an IoT gateway or other edge device where data is either sent to the cloud to be analyzed or analyzed locally. 

Sometimes, these devices communicate with other related devices and act on the information they get from one another. The devices do most of the work without human intervention, although people can interact with the devices — for instance, to set them up, give them instructions or access the data.

Additional Pros and cons of IoT

Some of the advantages of IoT include the following:

  • Ability to access information from anywhere at any time on any device;
  • Improved communication between connected electronic devices;
  • Transferring data packets over a connected network saving time and money; and
  • Automating tasks helps to improve the quality of a business’s services and reduces the need for human intervention.

Some disadvantages of IoT include the following:

  • As the number of connected devices increases and more information is shared between devices, the potential that a hacker could steal confidential information also increases.
  • Enterprises may eventually have to deal with massive numbers — maybe even millions — of IoT devices, and collecting and managing the data from all those devices will be challenging.
  • If there’s a bug in the system, it’s likely that every connected device will become corrupted.
  • Since there’s no international standard of compatibility for IoT, it’s difficult for devices from different manufacturers to communicate with each other.

Because IoT devices are closely connected, all a hacker has to do is exploit one vulnerability to manipulate all the data, rendering it unusable. Manufacturers that don’t update their devices regularly – or at all – leave them vulnerable to cybercriminals.

Additionally, connected devices often ask users to input their personal information, including names, ages, addresses, phone numbers and even social media accounts – information that’s invaluable to hackers.

Hackers aren’t the only threat to the internet of things; privacy is another major concern for IoT users. For instance, companies that make and distribute consumer IoT devices could use those devices to obtain and sell users’ personal data.”

Shocking IoT Security Statistics

In excerpts from an article by findstack, they wrote, “Since IoT is still in development, the discussion of its current trends and statistics is a hot topic. As such, we did some digging through the internet to find the most interesting IoT security statistics.

  • 48% of businesses admit they are unable to detect IoT security breaches on their network.

According to Gemalto, another worrying stat, 48% of businesses admit that they cannot detect IoT security breaches on their network. Nearly half of the companies that use IoT can’t identify when their network is compromised. As more businesses invest in IoT technology, we can only hope that this number decreases.

  • IoT devices are typically attacked within five minutes of connecting to the internet.

According to NETSCOUT, the average IoT device gets attacked just five minutes after it goes online. This trend is only expected to grow as more devices are connected every year. This explosion in cyberattacks was predicted right after it was introduced, and unfortunately, this has proven to be true.

  • 75% of cyberattack cases are carried out through routers

(Symantec)

It seems that the majority of cyberattacks on IoT devices are a result of network routers. Network routers are favored targets by many cybercriminals, with an average of 5,200 attacks per router per month.

  • 74% of global consumers worry about losing their civil rights because of IoT

Another worrying statistic, this one comes from an Economic Intelligence Unit survey. 74% of global consumers worry about losing their civil rights to IoT. 1,600 consumers across eight countries claimed that 92% want to control the type of personal information automatically collected.

  • Annual spending on IoT security measures increased to $631 million 

(Forbes)

As the IoT market grows, it’s only expected that the importance of securing and integrating IoT networks increases. The annual spending on IoT security increased to $631 million in 2021, a significant increase from 2016 with $91 million spent. This growth statistic assures us that IoT is headed for a massive boom in the next ten years.

Virtually every device that can connect to another device is considered as IoT, and the last few years have seen the IoT vision grow from theory to a major priority for many organizations. Although IoT is still in development and a hot topic right now, one thing is for sure – it’s here to stay.”

What Are the Most Popular IoT Devices?

According to excerpts from an article by Cujo, they wrote, “ The percentages provided here represent the popularity of IoT products among all connected devices, including smart phones and computers, to give readers a clearer view of the real scale IoT devices have in the online consumer ecosystem. The two dominant device categories – computers and smart phones – collectively make up around 62% of all connected devices.

IoT goes beyond popular things like smart TVs, wearable devices or smart home appliances. Today, there are dozens of categories of connected devices ranging from simple sensors to complex or unusual products.

1. Smart watches are the most popular IoT devices

The Internet went from the computer age to the mobile age, but there are some signals that we have another rapidly growing connected device segment — wearables, notably smart watches. Our real-world device data clearly shows that smart watches are third among all connected devices, trailing only smart phones and computers.

Smart watches have been around for many years, yet these devices have seen much slower adoption rates due to battery size and overall functionality. Nevertheless, in 2020-2021 smart watches are some of the fastest growing IoT devices in North America, and their popularity recently experienced several spikes.

2. Gaming consoles

Gaming consoles experienced two surges in popularity in the last 15 months: The first one happened when the quarantine started and a second one with the end of the year sales and holidays. While there are only a few leading console brands, their market penetration is quite significant, making gaming consoles some of the more common connected devices on home networks.

Our device distribution data also shows that the PlayStation 4 is by far the most popular gaming console, while the new PS5 has seen low usage due to unit shortages and scalpers buying up the stock and not using the devices themselves.

3. Smart TV sets and content streaming devices

Our data shows that smart TVs and other streaming devices have an established position in the market, yet their growth is slow. It is very likely that TVs and other traditional entertainment systems will not become the most popular IoT products in the near future. It is, however, interesting to watch the VR headset trends in our full report, which might signal a shift towards the new age of entertainment.

4. Voice control devices

At the end of 2020, voice control devices significantly increased in popularity after the holidays. Overall, these devices seem to have an established position in the IoT market.

5. Printers

Connected printers have always been among the most popular connected devices. Even though more businesses and households are going paperless, there are still many people and organizations using printers, making them some of the most popular IoT devices in the world.

6. Cameras

Connected cameras have an established niche in the IoT ecosystem, and are some of the most notoriously insecure devices. Our device intelligence algorithms constantly prevent malicious remote access attempts of these devices, as well as automatically monitors them for suspicious connectivity patterns.

7. Lighting appliances

Smart light bulbs, automated lighting systems and adaptive lighting solutions were among the first wave of consumer-grade IoT devices, and are still among the most popular IoT devices, with new products appearing on the lighting market every year.

8. Smart thermostats

Keeping people cooler or warmer with smarter dynamic controls, smart thermostats have a stable, established segment in the smart home IoT ecosystem and did experience a nominal decrease in popularity over the last few months. In terms of the most popular smart thermostat models and makers, Google’s Nest, ecobee and Honeywell are the most popular brands on the market. 

9. E-readers

E-readers had a massive +150% increase in Q2 2020. This jump in e-reader popularity was quite significant, even if it did not create any lasting trend in the year since. E-readers were one of the most popular IoT devices after a surge in popularity as more people stayed at home during the start of the pandemic

10. Smart doorbells

There are several categories of smart home safety devices, and all of them had similar adoption rates. Nevertheless, our data shows that smart doorbells are becoming more popular, close to doubling their quarterly new device numbers. On the other hand, connected smoke alarms and smart key locks have small and stable niches in the connected device ecosystem.

11. Alarm systems

As noted above, alarm systems recently had a surge, almost tripling their popularity among all connected devices.

Rising-star IoT Products

Some IoT products might become very popular rather soon, even if other IoT devices have more adoption currently. We have analyzed our data to show four outstanding examples of Internet of Things devices that have gained substantial popularity recently.

Sports and fitness devices

Gym lockdowns and more time at home did not stop people from exercising, and we saw an increase in smart fitness and sports devices connected in March 2020 onward. An overall increase of 50% in popularity, fitness and sports devices show how a significant change in the daily habits and living conditions impact the online smart device ecosystem.

Home robots

Roombas and other home robots are not yet popular enough to appear among the top IoT devices, but our impressions of this space leave us confident that we will see more IoT robots in consumer homes in the coming years.

Connected cars

Still niche among IoT devices (only 0.05% distribution among all connected devices), cars are slowly gaining traction, and two manufacturers are competing for the lead: Ford and Tesla. Ford has been the more popular connected car brand since last summer, while other manufacturers are struggling to carve out a significant portion of the market, with Subaru being the only other manufacturer that had any significant increases in new connections since July 2020.

Smart photo frames

Photo frames–were clear outliers in IoT popularity last year, and had massive increases in new connections. These exotic IoT devices allow people to connect their external (e.g. cloud storage) photos with the frame in their home. Several brands are strong in this market niche, making this an interesting category to watch in the near future.”

Vulnerabilities that Make IoT Devices Insecure

According to excerpts from an article by Venafi they wrote, “Smart and connected IoT devices introduce several ways of improving processes and productivity, enhancing user experience and lowering costs in a variety of industries and environments. While the benefits of IoT devices can be observed in factories, hospitals, cars, homes and cities, their inherent vulnerabilities do create new security risks and challenges. These vulnerabilities leave networks open to cyberattacks, which can disrupt industries and economies in dangerous ways.

Impact of IoT Device Vulnerabilities 

IoT devices are vulnerable mostly because they lack the necessary built-in security controls to defend against threats. The key reason is the constrained environment and the limited computational capacity of these devices. IoT devices are usually low-power devices, and their abilities permit only certain functions to be executed. As a result, they cannot withstand the inclusion of security controls and mechanisms and data protection schemes. Vulnerabilities in IoT devices may allow cyber criminals to hijack them and to further launch attacks against other critical systems.

***This next section is quite technical. If you find yourself checking out, please skip to the final section called, “Is the Internet of Things (IoT) Good or Bad?” That section is EXCELLENT! 

What Are IoT Vulnerabilities?

The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, published the IoT Top 10 vulnerabilities, which is a great resource for manufacturers and users alike.

Weak, Guessable, or Hard Coded Passwords 

“Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”

Weak, default, and hardcoded passwords are the easiest way for attackers to compromise IoT devices and further launch large-scale botnets, and other malware. Managing passwords in a distributed IoT ecosystem is a time-consuming and difficult responsibility, especially since IoT devices are managed over-the-air.

Insecure Network Services

“Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”

Adversaries are seeking to exploit weaknesses in the communication protocol and services running on IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server. Man-in-the-Middle (MITM) attacks aim to exploit these vulnerabilities to capture credentials used to authenticate these endpoints and further leverage these credentials to launch greater scale malicious attacks. It is therefore imperative to secure IoT communications with industry best practices.

Insecure Ecosystem Interfaces

“Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”

A strong authentication and authorization mechanism needs to be in place to mitigate insecure web, backend API, cloud, or mobile interfaces in the IoT ecosystem. Several solutions have been developed to safeguard the identity of IoT devices, which consider the constraint nature of these endpoints. With the use of effective device identity mechanism, whenever a server communicates with an IoT device, the server will be able to differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.

Lack of Secure Update Mechanism

“Lack of ability to securely update the device. This includes lack of firmware validation on devices, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”

Unauthorized software and firmware updates are a major threat vector for launching attacks against IoT devices. A corrupted update can disrupt the operations of critical IoT devices and have physical consequences in sectors like healthcare or energy. To secure the firmware and software updates, we need to secure the access to the updates and verify the source and the integrity of the updates.

Use of Insecure or Outdated Components

“Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”

The security of the IoT ecosystem may be compromised by vulnerabilities in software dependencies or legacy systems. The use of outdated or insecure software, including open-source components by manufacturers to build their IoT devices, creates a complex supply chain that is difficult to track. These components might inherit vulnerabilities known to the attackers creating an expanded threat landscape waiting to be exploited.

Insufficient Privacy Protection

“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”

Many deployed IoT devices collect personal data that needs to be securely stored and processed to maintain compliance with the various privacy regulations. This personal data might be anything from medical information to power consumption and driving behavior. Lack of appropriate controls will jeopardize users’ privacy and will have legal consequences.

Insecure Data Transfer and Storage

“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”

The protection of IoT data—either at rest or in transit—is of great importance to the reliability and integrity of IoT applications. This data is used in automated decision-making processes and controls that can have serious physical repercussions. It is critical that we effectively protect this data. The use of strong encryption throughout the IoT data lifecycle and adaptive identity and access control will help secure IoT data from compromise and breaches.

Lack of Device Management

“Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”

One of the most important tasks and one of the most significant security challenges in the IoT ecosystem is managing all devices throughout their lifecycle. If unauthorized devices are introduced in the IoT ecosystem, they will be able to gain access and survey corporate networks and intercept traffic and information. The key concerns of IoT device management are the provisioning, operation and updating of devices. The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices.

Insecure Default Settings

“Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”

IoT devices are shipped with default, hardcoded settings that are insecure and easily breached by attackers. Once these settings are compromised, adversaries can either seek for hardcoded default passwords, hidden backdoors and vulnerabilities in the device firmware. 

At the same time, these settings are difficult for a user to change. Having a deep understanding of these settings and the security gaps they introduce is a first step to implementing the appropriate controls for hardening these devices.

Lack of Physical Hardening

“Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”

IoT devices are deployed in dispersed and remote environments—not kept in any controlled environment, but exposed in the field to perform their operations. An attacker may disrupt the services offered by IoT devices by gaining access and tampering the physical layer. Such actions could prevent, for example, sensors from detecting risks like fire, flood, and unexpected motion. We should ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.”

Is the Internet of Things (IoT) Good or Bad?

According to excerpts from an article by carritech, they wrote, “Lots of people are currently talking about the Internet of Things these days but is it good or bad? The Internet of Things refers to everything connected to the internet, namely devices which are connected through automated systems. These devices communicate with each other through internet connections. Examples of IoT include smart thermostats, home hubs and vehicle monitoring. With the Internet of Things growing at such an exponential rate in modern times, we think it is worth looking into whether the expansion of this technology is a good or bad thing.

Why the IoT is Good

The market for IoT is growing rapidly. This means that billions of devices are developed every year, with many different uses. As well as the everyday uses, this technology assists hospitals, production lines and agriculture to name a few. IoT helps greater efficiency in processes, lighten workloads and collect data quickly. Technology today is created to try and reduce mundane tasks for people so we can all live happier, healthier lifestyles.

Another benefit of the Internet of Things is that we are more connected than ever before. By linking a vast number of devices to the internet, smart cities will be able to grow. Data and infrastructure networks are connected by the IoT, which adds further intelligence into the system. Understanding how a city functions should greatly improve the lives of the people living there.

Why the IoT is Bad

As with anything connected to the internet, there are real cyber threat concerns when it comes to the Internet of Things. Even the most robust internet-enabled technology is susceptible to hackers, meaning your information is vulnerable. Smart devices have access to and often record sensitive data. A compromised system could mean that those things you don’t want to be seen, could easily be retrieved.

With the rapid acceleration of the Internet of Things and all its devices, too comes the increase of e-waste. Manufacturing companies target consumers to make them think that to stay relevant, they must keep up with the latest technology. Forcing consumers to upgrade quickly makes past models out of date and so, they end up in a landfill. E-waste causes harmful effects to our health, the planet and wildlife.”

At Adaptive Office Solutions cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives