Shadow IoT is prevalent, insecure
- 16 March, 2020 12:10
While the data protection pitfalls around the Internet of Things (IoT) are undeniably numerous, new research from security vendor Zscaler underlines that one of the most serious problems emanates from the growing trend of “shadow IoT,” or the use of employee-owned devices on corporate networks.
The vendor's 'IoT in the Enterprise 2020' report says the blurring of the line between home and office is making the enterprise network less secure, even as businesses grapple with security issues around strictly corporate IoT endpoints like data collection terminals and industrial control devices.
“[T]he analysis also showed enterprise traffic generated by unauthorised IoT devices such as digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smart watches, and even automotive multimedia systems,” the report said.
Based on an analysis of network traffic from Zscaler’s customers, the report said that fully 83 per cent of all online IoT transactions – the term that Zscaler uses to indicate instances of communication between devices – were sent in plain text, without using SSL.
That’s partially due to the fact that consumer IoT devices tend to be far less secure than enterprise-focused ones, and highlights the potential volume of insecure traffic on corporate networks.
The problem is similar to the one businesses experienced years ago as the BYOD phenomenon took place more than a decade ago. Companies’ networks were insufficiently prepared for an influx of new endpoints that they didn’t actually own, causing a rush to develop new ways to secure those networks against both accidental and opportunistic compromise.
Where before the issue was employees using smartphones to access corporate resources in an insecure way – say, storing sensitive, unencrypted data on an easily lost or stolen iPhone – the problem now is workers using company networks to connect to less-secure devices, like checking on the nanny cam remotely, according to Zscaler.
Bad actors can look for login credentials in all this plain-text communication, and use them to gain access to more secure systems, or enlist insecure devices into botnets.
It’s worth taking some details of the report with a grain of salt, of course – security vendors aren’t famous for their balance and restraint when presenting research on the problems their products are intended to solve.
Yet the large proportion of insecure, plain-text traffic and the proliferation of consumer IoT devices on corporate networks are undeniably serious issues.