Study shows that over 90% of data transactions performed through IoT devices are unencrypted providing inroads for hackers
A large number of IoT devices are exposed to man-in-the-middle (MitM) attacks where hackers are in a position steal or manipulate their data. The ‘IoT in the Enterprise: an analysis of traffic and threats’ report that looked at connections from IoT devices from enterprise networks found that over 40% do not encrypt their traffic. This makes a large number of IoT devices open gates to secured data.
The report by network security firm Zscaler is based on the statistics on telemetry data that is collected from the company’s cloud. The security firm analyzed 56 million IoT device transactions from 1,051 enterprise networks over a month, i.e., between March and April 2019. Over 250 different IoT devices made by 153 device manufacturers were studied. These include IP cameras, smart printers, IP phones, medical devices, data collection terminals, digital signage media players, industrial control devices, networking devices, and even 3D printers.
One of the findings was that 91.5% of data transactions performed in corporate networks by IoT devices were unencrypted. As devices go, 41% of companies did not use Transport Layer Security (TLS) at all, over 40% used TLS for some connections, and only 18% of companies used TLS encryption for all traffic. This makes connections susceptible to various types of MitM attacks.
Experts say that while a malware infection is on a regular computer, it is likely to be detected sooner or later, while an IoT compromise is much harder to discover, which gives attackers a secret backdoor into the network.
Enterprises also have IoT devices that are exposed directly to the internet, for example, surveillance cameras, but these are in small numbers inside corporate networks. While devices connected directly to the internet are at higher risk of being attacked, the ones inside local networks also would not be difficult to compromise.
Experts believe that many IoT devices in enterprises work on default credentials or have security flaws. The reason for this is that IoT devices don’t have automatic updates and open, even to known vulnerabilities. It has been noted that the most common malware families that target IoT devices include Mirai, Gafgyt, Rift, Bushido, Muhstik, and Hakai, where they use brute-forcing login credentials.
Another cause for concern is the vulnerabilities of shadow IT devices that are connected to enterprise networks. According to experts, companies do have consumer-grade IoT devices on their networks. Since the amount of these devices is quite significant, it highlights the problem of shadow IT. Companies find it challenging to control what electronic devices their employees connect to the network; these include wearables to cars. Organizations must ensure that there are solutions in place to continually scan the network to identify such shadow devices and create policies on where these devices are allowed to connect.
The IoT spending report by IDC has predicted that the IoT devices market will reach $745 billion in 2019. The top countries where IoT is adopted at a faster pace include the U.S. and China, followed by Japan, Korea, Germany, France, and the UK. Clearly, this problem could very fast spin out of control as the number of devices grows.
Experts express that IoT technology has moved faster than the mechanisms available to safeguard these devices. In the consumer grade, there has been almost no security built into IoT hardware devices that have flooded the market, and some of these devices are also found in the enterprise networks, making that data vulnerable.
With all of these connected devices and significant amounts of associated data traversing on the network opens up new vulnerabilities for cybercriminals; legacy networks cannot be trusted to provide adequate security.