Even in these days of work anywhere, anytime, it’s still important for certain businesses to maintain a level of control over their information. Unfortunately though, whilst data on mobiles, laptops, and other gear can be managed relatively easily, there’s been little heed paid to the potentially leaky nature of Internet of Things (IoT) devices, which potentially represent a myriad of new and exciting channels for remote exploitation.
The OpenDNS 2015 IoT in the Enterprise report (compiled by the network security and DNS service provider from real world customer use cases and external data sources) highlights in stark terms the risks inherent within devices like FitBits and Dropcam internet video recorders which, for now, aren’t even a blip on the radar for most businesses.
According to OpenDNS, IoT devices are finding their way into some of the most ironclad towers – including government, financial, healthcare, and energy services. Whilst most of these have their traditional networks closely monitored, IT departments tend to adopt a more laissez faire attitude when it comes to the devices which might also be hooked into existing networks. This leaves unmonitored devices vulnerable to a host of nasties, including Heartbleed and FREAK.
Although employees may not be continuously using smart TVs or tinkering with wearables, the devices are actively polling servers around the globe throughout the working day. Samsung smart TVs, for example, send an domain external calls roughly every minute they are powered on, making it all too simple to track the usage of the device.OpenDNS also cite Western Digital cloud-enabled hard drives – which transmit data to insecure cloud servers – as a key potential threat.
In an interview with the Register, Andrew Hay, Head of Research at OpenDNS, fretted, “IT is treating these devices like gadgets and toys and not applying the same rigour they would apply to routers, switches and firewalls.” Moreover, security for IoT gizmos comes from nobody knowing which URLs they contact, a flimsy practice which Hay terms, “security through obscurity.”
Securing the IoT is a burning issue at present, and was a key theme at ThingMonk last December, with several speakers musing that the first Internet of Things based homicide was a grim inevitability. Whilst there is a lot of excitement around the potential of a world of billions of interconnected objects, it’s all too easy for concerns about prosaic matters like security to slip by the wayside.
Even relatively objects like automatic heaters and smart lightbulbs will require a vast amount of personal data to function as intended (for example, just what time you’ll be home from work or what dates you’ll be on holiday). There’s little point in getting the neighbour to hide the post and the milk if all that information is readily open for hackers to siphon off.
The hope of OpenDNS is that designers and engineers will begin to take these concerns into consideration at this very early “banging rocks together” stage, rather than having to layer defences much further down the line. Practices such as establishing what traffic patterns look like for gadgets and platforms – and just why they communicate regularly – may be extra work for IT departments, but will be a necessity in a world wired into the IoT.