The Internet of Things "IoT" is actively transforming nearly every industry. With low-cost sensors proliferating devices in constant use by consumers and companies, IoT is expected to change the way we live our lives and manage our businesses. As an unprecedented amount of data is collected and monitored through Internet connected devices, IoT delivers benefits such as seamless automation, optimized resource consumption, increased situational awareness, and the immediate control and response of complex systems. In its current state, IoT is the start of a data-driven evolution in engineering and science-and it's only a glimpse of what's possible.
The rise of IoT has catalyzed the creation of myriad surveys, expert predictions, and conference presentations about the potential impact on enterprise security. While some IT leaders claim to be prepared for the march of a growing number of Internet-connected devices onto their networks, others report having no plan at all. In addition, the lack of concrete data has made the industry discussion largely speculative. Security and IT professionals-whether they acknowledge it or not-face a cloud of obscurity in attempting to protect employees and customers from attack without knowing exactly where and how IoT devices expose their networks to costly attacks.
Leveraging a data-driven methodology, this report explores the potential security risks surrounding IoT devices connected to enterprise networks. The aim of our research is to heighten the awareness of IoT devices in business network environments and the possible security threats they may pose to privacy, national security, and economic stability. What follows is the analysis of our unique IoT viewpoint through a global DNS infrastructure.
This report covers our methodologies of data discovery, red flags for IT professionals regarding the security of IoT devices, key takeaways, and suggestions for how to manage IoT deployed in an enterprise environment. It also includes a contextual survey with responses from more than 500 IT and security professionals.
Our findings indicate that most company leaders, including the IT and security professionals charged with protecting valuable and confidential information, are not fully aware of the scale of IoT presence within their networks. This lack of awareness may also be fueling a misunderstanding or underestimation of how insecure IoT devices are. It is imperative for IT security professionals to know which devices are unsafe, how to manage and patch them, and how to prevent them from visiting harmful or malicious network infrastructures. However, many IT professionals do not even seem to have a clear definition of what constitutes an IoT device.
Our findings uncover the extent to which IoT permeates nearly every major market vertical including energy infrastructure, healthcare, education, consumer electronics, manufacturing, defense, government, financial institutions, and retail, among others.
It's worth noting that the intention of this report is not to scare or shock the public. It is meant to provide an unprecedented data-driven view of IoT based on real data that security professionals can use to gain better understanding, help educate company business decision makers, and to plan for an IT security future that includes ubiquitous IoT devices.
Though our report discovered an extensive number of concerning and important findings, the following seven are the most significant.
1. As stated in the summary, IoT devices are actively penetrating some of the world's most regulated industries including healthcare, energy infrastructure, government, financial services, and retail.
2. Our analysis identified three principal risks that IoT devices present in protecting network environments with IoT devices: (1) IoT devices introduce new avenues for potential remote exploitation of enterprise networks; (2) the infrastructure used to enable IoT devices is beyond both the user and IT's control; (3) and IT's often casual approach to IoT device management can leave devices unmonitored and unpatched.
3. Some infrastructures hosting IoT data are susceptible to highly-publicized and patchable vulnerabilities such as FREAK and Heartbleed.
4. Highly prominent technology vendors are operating their IoT platforms in known "bad Internet neighborhoods," which places their own customers at risk.
5. Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital "My Cloud" storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon out to servers in the US, Asia, and Europe-even when not in use.
6. Though traditionally thought of as local storage devices, Western Digital cloud-enabled hard drives are now some of the most prevalent IoT endpoints observed. Having been ushered into highly-regulated enterprise environments, these devices are actively transferring data to insecure cloud servers.
7. And finally, a survey of more than 500 IT and security professionals found that 23 percent of respondents have no mitigating controls in place to prevent someone from connecting unauthorized devices to their company's networks.