Smart devices that connect to the internet, such as televisions, watches, cameras, and thermostats, are part of our everyday lives that we can no longer do without them. Not only that, we often don’t even notice their presence and the risks related to privacy and security. Dangerous threats in private life that generate even worse damage in business contexts. That’s why this in-depth look at the hidden shadows of IoT devices is useful.
What is Shadow IoT?
IT experts will have already heard of “Shadow IT,” or the connection of hardware or software devices to enterprise IT systems without authorization. Shadow IoT is nothing more than an evolution of it: that is, it is IoT devices or sensors that are connected to the network without receiving formal authorization from the IT department. Thus, circumventing useful security controls prevents unwanted access to the corporate network.
Here’s an example. If I buy a Smart TV and connect it to the company’s wifi without asking permission from the IT department, I expose the company to high risk. Maybe I do it in good faith, as I reason about its use and not the hypothetical risks of an IoT device connected to the network. I think, “I need it in the boardroom to show slides and videos; there’s no risk.” And instead, a hacker could turn the device into a microphone and listen to or record the entire meeting. But also use the Smart TV as an access point to the corporate network. The result: if the topic discussed during the meeting is sensitive, it could generate a leak that would harm the company and employees.
IoT devices: which ones could hurt your business?
Whenever a device is connected to the network in the company, be it a PC, a printer, a thermostat, or a smart fridge in the canteen room, it should be authorized by the IT department. Reporting the presence of a new device on the network serves to initiate controls that verify the design security of the device but also the parameters and accesses used to connect to the corporate network.
When there were only a few devices to connect, the problem related to permissions was not relevant. With IoT devices that are numerically larger and often in personal use, reporting has become more formally complex and difficult to monitor.
But what are these IoT devices that could threaten the enterprise?
- Voice and digital assistants: which, if not configured properly, could collect and convey companies’ recondite data and information. In effect, they are always-on microphones.
- Fitness trackers: smartwatches but also specific devices for monitoring sports activities or health status that, by connecting to the corporate network, could become gateways for cybercriminals;
- Smart TVs: often installed in conference rooms, they could become the target of hackers who, through the installation of simple applications, would turn them into microphones. They could then listen in on meetings and obtain confidential data;
- Smart appliances: smart ovens, vending machines that connect wifi for app-based payments, and small appliances that enter corporate kitchens are always easier access points to hack. In fact, they often don’t have specific apps for information security, and access credentials are easier.
- Rogue Cell Towers: these are devices that mimic real cell phone towers and can intercept mobile calls and data.
- Wireless Printers: improperly configured or lacking virus or malware protection, printers could allow cybercriminals to remotely take control of the print stream or reach devices connected to the network.
- Surveillance cameras and drones: again, the ease of access of improperly configured devices makes them an easy target for DDoS attacks.
- Personal tablets: another remote attack could affect smartphones, tablets, and business laptops not properly protected. Again, for the amount of data they hold, the damage to the company would be significant.
- Industrial IoT (IIoT) sensors: very useful for allowing industrial machines to communicate with each other, IIoT sensors make the network they connect to vulnerable. One example is heating and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats.
What are the risks of Shadow IoT?
It’s not easy, and in some cases impossible, to monitor all the IoT devices that connect to the corporate network. The number is constantly growing between objects for personal use and corporate devices.
Moreover, thanks to increasingly intuitive and straightforward apps, even configuration is within everyone’s reach. Before, when you needed to connect a device to the network or simply configure it, you had to call the IT department because you needed advanced skills to do it. However, self-installing programs start up at power-up, making the process a breeze.
So, instead of starting the procedure for authorizing the device’s connection and waiting for the IT department to be available, we proceed on our own, convinced that we will not cause any damage if, for example, we connect our smartwatch to the company wifi. Instead, even the most trivial device can become a gateway for malicious users.
What can I do once I enter the corporate network via a smartwatch? Cause exactly the same damage as any compromise made, for example, through a PC:
- steal data;
- interrupt a service;
- record private and sensitive conversations;
- cause physical damage to facilities;
- damage to corporate reputation.
Why, specifically, are IoT devices so dangerous? Because of the attention paid to security in the design phase of devices. When they are dated or very inexpensive, the devices do not undergo vulnerability identification and elimination and do not have specific cybersecurity features. Also, we often associate IDs and passwords that are easy to decrypt with the devices we use in our free time, making them preferred network access points over more complex devices.
Shadow IoT is the connection of IoT devices to the corporate network without requesting permission. One practice puts the entire organization's data and security at risk Click To Tweet
How to counter the Shadow IoT and protect the enterprise network?
Before even requesting the intervention of the IT department, it is useful to dwell on the process of authorizing the connection of IoT devices. Often, these procedures in the enterprise require steps through multiple departments, significantly extending the time between the request and the actual connection of the device.
If I need to connect my personal tablet to the network to make my work more efficient, I expect a few hours to do so. On the other hand, if the authorization email has to go through several formal approval steps and IT department checks, it will obviously take days or even weeks. Instead, establishing a rapid IoT approval protocol would not only streamline the process it would also be a great incentive for employees who would not be taking unnecessary risks in the face of quick steps.
Let’s turn now to the technical side. Cyber security experts recommend focusing on connections and devices by favoring an end-to-end approach in which control operations are performed at properly protected end nodes (or endpoints).
The IT department, to counter the risks associated with IoT connections on the corporate network, should:
- Schedule a proactive search for IoT Shadow devices so as to prevent risks and detect intrusions early;
- Pay particular attention to security-related parameters when configuring and managing devices to connect to the network;
- Protect the connection between the devices and a possible cloud and the data processed and stored in it;
- Implement dedicated IoT device security applications and create stronger authentication processes.
What features should IoT devices possess to reduce the risk of unwanted access?
IoT devices should be:
- Secure-by-design: meaning they are designed with, even at this stage, the functional requirements and code suitable for cybersecurity;
- Secure-by-default: when the IoT device contains default, secure configuration settings. For example, the manufacturer sets a printer in such a way that, by default, it prevents external connections. These configurations can be safely modified on-premise by an IT technician to fit business needs.
The organization, on the other hand, should train employees so they know how to properly set up credentials, create IDs and passwords that are secure, and enable two-factor authentication for added security.
Overall, the only way to improve security related to IoT devices is a shared commitment from everyone involved in the process: manufacturers, regulators, enterprises, and employees.