Beware BYO IoT, says Zscaler
Zscaler, a provider of cloud based security for enterprises, has released its second annual IoT report, evoking a strong sense of déjà vu: a decade or so ago, following the emergence of smartphones that could do much more than make calls, the bring-your-own device (BYOD) phenomenon where employees used these for work purposes caused many sleepless nights for IT staff.
Industry was quick to respond: a number of startups emerged to deal with the problem by enabling such devices to be secured, quarantined and, if necessary, disabled. All were subsequently swallowed by larger players. BYOD is now an accepted practice, and rarely an issue.
Not so BYO IoT devices. By analysing two weeks of traffic through its Zscaler cloud, Zscaler found 553 different IoT devices across 21 categories from 212 manufacturers. And it is processing one billion IoT transactions per month.
Zscaler found the top IoT device categories to be authorised devices such as data collection terminals, digital signage media players, industrial control devices, medical devices, networking devices, payment terminals, and printers.
Home IoT invades the enterprise
And it also found a big problem: the analysis also showed enterprise traffic generated by unauthorised IoT devices such as digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smart watches, and even automotive multimedia systems.
When Zscaler’s researchers drilled down to build an inventory of IoT devices sending traffic to the Zscaler cloud, consumer devices topped the list.
“The category with the highest number of individual devices was far and away TV set-top boxes, which enable analogue television sets to receive digital broadcasts (29.5 percent), followed by smart TVs at 20.3 percent,”Zscaler said.
Coming in third were smart watches at 14.8 percent, followed by media players at eight percent, digital signage media players at 5.8 percent and data collection terminals at 5.6 percent.
Zscalers’ conclusion: “Employees inside the office might be checking their nanny cam over the corporate network. Or using their Apple Watch to look at email. Or working from home, connected to the enterprise network, and periodically checking the home security system or accessing media devices.”
Much IoT channelled malware
And the bad news: “Zscaler blocked 14,000 IoT-based malware attempts per month. That number has increased more than seven times since the May 2019 research.”
It listed the top malware encountered as being Mirai, Gafgyt, Rift, Bushido, Demonbot and Pesiraim and the top target destinations connected as the US, UK, Russia, The Netherlands and Malaysia.
Even more troubling from a security perspective is the fact that roughly 83 percent of IoT-based transactions are happening over plain text channels, whereas only 17 percent are using SSL, according to Zscaler.
Not surprisingly Zscaler concluded: “The presence of shadow IoT highlighted in this report should serve as a wake-up call to enterprise security professionals. Just as companies learned to create policies and to apply management and security controls to BYOD devices, they need to start paying that same level of attention to shadow IoT.”
Unfortunately the problems are not comparable. BYOD devices were relatively few in number and had sufficient intelligence to be manageable with the tools provided by the aforementioned startups. IoT devices are orders of magnitude more numerous, and many are smart enough to be dangerous but too dumb to be easily secured.
Solutions: visibility, zero trust & legislation
Zscaler says organisations need visibility into their entire infrastructure and a zero trust approach, and it makes a third recommendation.
“If possible, urge action at the governmental level to have a common set of policies and regulations with respect to the development and security of IoT devices.”
Good idea! And last month saw the UK Government do exactly that. Australia meanwhile has a voluntary code of practice. In the US the Internet of Things Cybersecurity Improvement Act was introduced into Congress in May 2019.
According to GovTrack.us, an independent website tracking the status of legislation in the Congress, the bill was sent the House or Senate as a whole for consideration on June 19, 2019, but has almost zero chance of becoming law.
In any case such laws would do nothing to prevent attacks being launched from vulnerable devices manufactured and installed in countries that have no such legislation, or the non-compliant devices bought online that are almost certain to find their way into homes in countries with legislation.
In short the battle against BYOIoT will be long and hard.
This article was first published on IoTAustralia.org.au