IoT dangers are real and widespread

Two studies, one from HP, and one from DNS and security vendor OpenDNS, took a look at the dangers IoT devices pose, and both concluded the same thing: They’re real, they’re here, and they’re more widespread than you might imagine. Following are summaries of each study.

Internet of Things in the Enterprise 2015

OpenDNS is a DNS provider that routes more than 70 billion Internet requests daily from approximately 50 million consumer and enterprise users in more than 160 countries. For its report on IoT dangers, OpenDNS sampled statistically relevant data on the 15th day of February, March, and April in 2015.

The company found an astonishing number of security holes in enterprises, including highly regulated ones such as healthcare, education, energy infrastructure, manufacturing, government, financial services, and others.

It warned of three major security issues with IoT: “(1) IoT devices introduce new avenues for potential remote exploitation of enterprise networks; (2) the infrastructure used to enable IoT devices is beyond both the user and IT’s control; (3) and IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched.”

Infrastructures that host IoT data are susceptible to well-known vulnerabilities including FREAK and , it warns. And Western Digital cloud-enabled hard drives, which it found are common in enterprises, “are actively transferring data to insecure cloud servers.”

A serious issue is that IoT devices frequently beacon out, that is, use the Internet to contact networks outside of enterprises, and enterprises aren’t aware of it. The report notes that smart TVs, frequently used in conference rooms, constantly beacon out, and “may be may be communicating with legacy infrastructure that uses an untrusted security certificate, opening this avenue of communication to several well-known attacks.”

Nest thermostats also beacon out, the study found, as does the Dropcam line of cameras. The report says that this beaconing isn’t inherently malicious, but adds that “[a]ttackers can potentially monitor these devices for network activity and discover usage patterns about its owner. This type of beaconing also presents an additional attack surface for criminals to target if a device-specific exploit is discovered.”

Based on a survey that OpenDNS did of 500 IT professionals, many enterprises seem to be at risk. The survey found that 23% of those surveyed didn’t have controls in place to stop unauthorized devices from connecting to their enterprise network.

Internet of Things Research Study 2014

HP’s study looked at ten popular devices in common IoT niches such as TVs, webcams, thermostats, and more, and analyzed their behavior for security problems. The results: There are plenty of dangers.

The report found “an alarmingly high average number of vulnerabilities per device. Vulnerabilities ranged from Heartbleed to denial of service to weak passwords to cross-site scripting.” Most devices include connections to cloud services, which increase security risks because of the way data is transmitted between the devices and the cloud. All of them included mobile apps that could control the devices remotely — another attack vector.

Other findings include:

• Seventy percent of the devices didn’t encrypt communications between the devices and the Internet or local network, and yet almost all of the devices collect personal information.
• Sixty percent of the devices had insecure Web interfaces such as persistent cross-site scripting, poor session management, and weak default credentials.
• Sixty percent of the devices had insecure software and firmware because they didn’t use encryption when downloading software updates. This could allow hackers to intercept updates and inject attacks into them.
• Eighty percent of the devices had password problems — they don’t require passwords of sufficient complexity and length. Most allowed simple passwords such as “1234” or “123456.” The weak passwords were typically allowed on the devices themselves as well as on the associated cloud services and mobile apps.