By Yevgeny Dibrov, CEO & Co-Founder
The Internet of Things is ushering in the next wave of digitization to business. Employees bring connected IoT devices in and out of the office, and companies use smart devices to keep operations running efficiently. A number of devices, from smart phones and smart security cameras, to smart printers and wireless keyboards, are commonly used in offices. We see connected health monitors and medical equipment in hospitals; even IoT devices on the manufacturing line. These devices improve productivity, collaboration, and quality, but also present a complex security challenge.
IoT Devices – Designed to Connect
IoT devices are designed to be open and connected. This simplicity and convenience also exposes companies to risk. Attackers can compromise devices over Wi-Fi and other protocols, or remotely from the cloud, all threat vectors unknown to the business.
Most IT professionals aren’t confident that their organization can track and manage the IoT devices on their network. Based on our work with customers, we’ve learned that businesses are unaware of 40 percent of the connected devices in use in their environment. Combine that fact with the recent report that attacks targeted at IoT devices are up 280% from the previous six months, and there is reason to be concerned.
With that in mind, here are the six commonly used IoT devices in companies that typically fall through the cracks of security.
The use of tablets at work has exploded — you’ve seen them in lobbies and conference rooms to schedule meetings, display calendars, and control audio / visual technology. Tablets are often located where confidential topics are discussed and have access to sensitive data. Unfortunately, physical access and connected activity are not closely monitored. They can be susceptible to compromises, allowing attackers to activate a microphone or camera, and silently eavesdrop. In one case, we found a tablet where the camera had been activated, it was streaming video out to an unknown destination.
2. Audio/Digital Assistants
Devices like the Amazon Echo and Google Home are now being used at work. We see executives bring them into their personal office. While IT may be reluctant to say “no,” these digital assistants are a growing risk. Personal assistants may be used by malicious actors as a bridge to the corporate network. It’s important to note that personal assistants are always on and listening. There are no visual indicators to show when these devices are recording, so it’s impossible to tell what they’re picking up. Sadly, it was recently demonstrated how an Amazon Echo could be hacked and turned into a covert listening device.
One of the most ubiquitous connected devices in business is the printer. They can connect to the network via Ethernet and allow for Wi-Fi, Bluetooth and other wireless connections. Printers are Wi-Fi hotspots, and sensitive and confidential data are constantly being transmitted to them. Disabling connectivity or other features is a manual effort that can’t be executed at scale. If you have 1,000 printers, you have to visit each one individually to update their security settings.
4. Smart TVs
Internet-connected TVs are found in many lobbies and conference rooms. They run multiple applications out of the box. Connection to Wi-Fi exposes them to potential remote compromise; in fact as many as 90 percent of smart TVs may be compromised remotely using nothing more than a $50 transmitter. Existing exploits allow attackers to access smart TV cameras or microphones without activating the indicator light, leaving users in the dark about potential breaches.
5. Wireless Speakers
Many companies set up Bluetooth or wireless speakers like Jabra or Sonos, that connect via wired or wireless networks. These speakers can offer a potential path to unauthorized network access. Attackers within proximity to connect wirelessly to an insecure speaker may be able to compromise it, and leverage its connection to gain access to the corporate network.
6. VoIP Phones
At most businesses, the majority of voice communication is done over an IP connection. Many businesses have VoIP devices on just about every desk and conference room. VoIP phones typically don’t have built-in security mechanisms, and it’s possible to connect to them wirelessly via Bluetooth. These devices are vulnerable to remote attacks — anything from compromising the phonebook to gain access to contact data, to spoofing calls to appear as if they’re from the CEO or the finance department.
These six examples are only a representation of the kinds of IoT devices in use at work today. Companies need to allow their workforce to use connected devices. However, they must be aware of how insecure they truly are. Because of their connectivity and minimal security, IoT devices are an ideal target for attackers. Businesses today need the ability to discover the devices on their network (both approved by IT and unknown), and monitor and track their behavior. We’re living an IoT world, and leaving connected devices unprotected is no longer an option.