This morning, a security firm announced the findings of its Internet of Things (IoT) report, which found that an increase in personal IoT devices, such as fitness trackers and virtual assistants, are being connected to corporate networks and putting companies at risk from cyber-attack. Daniel Moscovici, Co-founder at Cy-oT commented below.
Daniel Moscovici, Co-founder at Cy-oT:
“IoT devices are not protected by nature. We need them to improve our businesses and life, but they are a very easy attack surface, and by far the easiest way to get into an organisation, enabling hackers to scan your network, install malware, conduct reconnaissance, and exfiltrate data by bypassing other security mechanisms. The real risk is the fact that these devices are an open door in and out of an organisation. For example, if a hacker is able to infiltrate a video camera, they would be able to steal your pictures and videos; however, this is not the main issue. More importantly, the hacker can reach your more sensitive assets by accessing your network though an insecure device.
“We have seen organisations investing a lot of money in mechanisms to protect their networks, perimeters and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment. However, organisations are unaware that it’s not only the corporate network that is in danger; its airspace is also under threat. Hackers can connect via P2P directly to these assets and, from there, get into the corporate network.
“IoT devices are exposed for multiple reasons. Some of them can have built in vulnerabilities, and are actually shipped from the factory as a hackable device or a ready to use botnet. IoT devices can also be exposed through their cloud or web application services, as these are often not adequately secured. The wireless networks surrounding IoT devices are also highly unprotected; think WPA2 vulnerabilities. Wireless infrastructures are very sensitive, especially where multiple devices from multiple vendors/users are concerned. Some will even be from outside your company walls – for example if an employee takes a company device and connects to a local Starbucks Wi-Fi.
“What is needed is a dedicated cybersecurity solution that monitors both the IoT device and its activity 24 x 7, and can neutralise the threat. By doing this, an organisation will be able to detect when and which devices are at risk, as well as mitigate the threat in real time without physically looking for it. The answer does not lie within the device itself, but with a solution that brings your Security Operations Team visibility and control.”