Companies—or at least companies that want to stay competitive—increasingly employ smart devices to keep operations running efficiently. These IoT devices—akin to smart machinery
on the plant floor—are designed to be open and connected, which also exposes them to risk. And most IT professionals aren’t confident that their organization can track and manage all IoT devices on their network. Based on work with customers, we’ve learned that businesses are unaware of 40 percent of connected devices in use in their environment. Yikes!
Here are the six commonly used IoT devices in companies that typically fall through the cracks of security:
Tablet use at work has exploded—you see them in lobbies, conference rooms and plant floors to schedule meetings, display calendars and control audio / visual technology. They’re often located where confidential topics are discussed and have access to sensitive data, yet physical access and connected activity are not closely monitored. Tablets can be susceptible to compromises allowing attackers to activate a microphone or camera, and silently eavesdrop. In one case, we saw an attacker turn on a tablet’s camera and stream video out.
2. Personal Assistants
Devices like the Amazon Echo and Google Home are now being used at work. We see executives bring them into their personal office, and while IT may be reluctant to say “no,” they’re a growing risk. Personal assistants may be used by malicious actors as a bridge to the corporate network. It’s important to note that personal assistants are always on and listening. There are no visual indicators to show when these devices are recording, so it’s impossible to tell what they’re picking up at any point in time. Sadly, it was recently demonstrated how these devices could be hacked to be a covert listening device.
One of the most ubiquitous connected devices in business is the printer. They can connect to the network via Ethernet and allow for Wi-Fi, Bluetooth and other wireless connections. Printers are Wi-Fi hotspots, and sensitive and confidential data is constantly being transmitted to them. But disabling connectivity or other features is a manual effort that can’t be executed at scale. If you have 1,000 printers, you have to visit each one individually to make a change.
4. Smart Televisions
Internet-connected TVs are found in many lobbies and conference rooms, and run multiple applications out of the box. Connection to Wi-Fi exposes them to potential remote compromise; in fact as many as 90 percent of smart TVs may be compromised remotely using nothing more than a $50 transmitter. Existing exploits allow attackers to access smart TV cameras or microphones without activating the indicator light, leaving users in the dark about a breach.
5. Connected Speakers
Many companies set up Bluetooth or wireless speakers like Jabra or Sonos, that connect via wired or wireless networks. These speakers can offer a potential path to unauthorized network access. Attackers with proximity to connect wirelessly to an insecure speaker may be able to compromise it and leverage its connection to gain access to the corporate network.
6. VoIP Phones
At most businesses, the majority of voice communication is done over an IP connection. Most businesses have VoIP devices on just about every desk and conference room. VoIP phones typically don’t have built-in security mechanisms, and it’s possible to connect to them wirelessly via Bluetooth. These devices are vulnerable to remote attacks—anything from compromising the phonebook to gain access to contact data, to spoofing calls to appear as if they’re from the CEO or the finance department.
These six examples are only a representation of the kinds of IoT devices in use at work today. Companies need to allow their workforce to use connected devices, of course, but must be aware of how insecure they truly are. Because of their connectivity and minimal security, IoT devices are an ideal target for attackers. Businesses today need the ability to discover the devices on their network (both approved by IT and unknown), and monitor and track their behavior.
We’re living in an IoT world, and leaving connected devices unprotected is no longer an option.
Yevgeny Dibrov is the CEO and co-founder of Armis.