In June of 2016, a hacker spied on private meetings of a Canadian political party. He did this by accessing the video conferencing system, which allowed him to watch and listen to confidential discussions.
In October of 2016, when the Mirai botnet targeted IoT devices—primarily webcams—the resulting distributed denial of service attack brought much of the Internet to a standstill.
In both instances, attackers exploited a security issue created by users—failure to change the default password.
Trading Productivity Gains for Increased Exposure
In the era of digital workplaces and the Internet of Things, we are increasingly reliant on our connected devices and the access they provide to people, places, data, Candy Crush, and other devices. The positive impact such connections make on business outcomes and in our personal lives will continue to drive rapid adoption of IoT-enabled devices. Analyst firm Gartner estimates the number of connected devices will exceed 20 billion by 2020.
The tradeoff for convenience, productivity, business intelligence, and many other benefits is increased exposure to cyberattacks. There is simply no way around this fact. As renowned cybersecurity expert, Theresa Payton said at a recent PSNI summit, “If you are on the Internet, you live in a bad neighborhood.”
IoT devices represent an elevated risk for companies because not only can they expose the security breach, they can be turned into weapons as well—a highly effective tactic illustrated in the Mirai botnet attack on Dyn.
7 Devices That Make You Vulnerable
As it turns out, it’s not the microwave you need to worry about. It’s the fridge. Late last year, the ForeScout IoT Enterprise Risk Report identified 7 common IoT devices that can be hacked in as little as three minutes. The list was a little surprising—even a smart light bulb can put you at risk—and all can be found in the enterprise. The risk they present range from disastrous to damaging.
- IP-Connected Security Systems – Threats include disabled cameras, opening locks, false signals, turning off motion sensors, accessing other connected systems.
- IP-Connected Climate Control – Threats include overheating server rooms to cause damage, using to access the network or other connected systems.
- Smart Video Conferencing Systems – Threats include spying, access to confidential data, control over screens, and even full network access.
- Connected Printers – Threats include access to company and user information, entry point to infiltrate the enterprise.
- VoIP Phones – Threats include eavesdropping on calls and making calls.
- Smart Fridges – Threats include access to user credentials, calendars, scheduling apps, and access to other integrated enterprise applications.
- Smart Lightbulbs – Threats include access to Wi-Fi credentials, which can give access to other systems and devices like laptops and smartphones.
The report on these devices and the ease with which they can be hacked is alarming but they may not pose the most significant risk to your company.
The Greatest Threat to the Enterprise
IT professionals have long joked that their biggest problem can be found between the keyboard and the chair. For IT security teams however, that may not be a joke. Users are almost always the weak link in corporate security. No matter how often proper password protocol is harped on, companies continue to be plagued with and exposed by default passwords.
We asked Lars Duziack, VIA Global IT Specialist at Kramer what he thinks creates the most security vulnerabilities. He said, “The simple answer will always be ‘Human’ because anyone who is not prepared or informed can create issues in companies. Think about your privileges at your company. Do you have unrestricted access to the Internet? Do you use a company laptop? Are you allowed to use your own mobile devices inside the company? Which level of access to data do you have?”
The risk created by a user with unrestricted Internet access could result in inadvertent and even unseen downloads of malicious software or malware such as worms, trojans, adware, and viruses.
Lars explained that mobile devices create another opportunity for would-be hackers. “Think about your laptop. Do you connect to networks that are unknown to your IT department? Mobile devices that IT can’t control represent a massive risk. The more critical information you access, the more interesting you are to a hacker, and the more likely you are to be infected.”
But it’s not all bad news. Lars shared advice to mitigate the user threat. “We can prevent these issues through awareness. Educate your employees and enable your IT departments to make smarter choices.”
In part two of our Internet of Things blog, we’ll take a closer look at how to address IoT-induced security vulnerabilities.