While the number of actively Evil Things is still small, the vast majority of enterprises are home to things that have the potential to turn evil at any moment, according to a new report from Boston-based security firm Pwnie Express.
The company analyzed a quarter million devices across a variety of customer environments and industry verticals, and found that 83 percent of companies have printers in their default configuration, with default passwords, and unencrypted WiFi.
"If you install these printers in a default state, and plug them into a network, it's now not just a hackable printer but an open port into your network," said Pwnie CEO Paul Paget.
In addition, 69 percent of companies had unencrypted wireless access points on their networks.
Vulnerable, unencrypted mobile hotspots were present in 42 percent of companies.
"Virtually every organization has some sort of rogue wireless access point or printer," Paget said.
Worst of all, many companies don't know what devices are on their networks because employees can easily go out and buy them and install them themselves -- or bring them from home as part of corporate Bring Your Own Device programs.
Employee-owned devices are a particular concern, Paget added, because there are limits to what a company can do to secure them.
Overall, he said, when scanning corporate systems, Pwnie discovered that companies typically had two to three times more devices than they thought they did.
Pwnie also found some actively evil devices, he added.
"Malicious, weaponized devices are the exception," he said. "We don't find them in every company, but in enough to be a concern."
However, he couldn't provide specific numbers about evil devices because of how clients permitted the data to be analyzed.
"We know we validated the problem," he said, "but we can't quantify it at this stage. Of the companies where we collected the data, we've only had a few accounts that gave us permission."
Pwnie also surveyed 600 security professionals and found that 83 percent were concerned about rogue or unauthorized devices operating in their networks, 69 percent said they did not have full visibility of all the wireless devices in their networks,
"The problem was substantial," said Paget.
In addition to insecure devices like printers or wireless access points, which could be made secure by changing settings and, when necessary, patching the software, there is also a category of devices that don't have any provisions for security at all.
"There are thermostats, medical devices, other things that are vulnerable because they is no security built into them," he said. "And they're finding their way into enterprises."
Finally, as prices fall and devices get easier to use, there are more and more opportunities for disgruntled employees -- or average criminals -- to do some damage.
"The concern that law enforcement has is that this stuff is so readily available," Paget said. "You can go to your favorite retailer and you can buy this stuff. It's not just for trained professionals any more. Now the average person can use this for malicious purposes."