A report from Zscaler reveals some troubling facts about the risks posed by network-connected IoT devices.
IoT devices-A new report that looked at millions of connections from IoT devices present on enterprise networks found that over 40% of them do not encrypt their traffic. This means a large number of such devices are exposed to man-in-the-middle (MitM) attacks where hackers in a position to intercept traffic can steal or manipulate their data.
The new report released today by network security firm Zscaler is based on telemetry data collected from the company’s cloud. It covers over 56 million IoT device transactions from 1,051 enterprise networks over the course of a month.
The most common were set-top boxes used for video decoding. These accounted for over 50 percent of the observed devices and were followed by smart TVs, wearables and printers. However, it was data collection terminals that generated the largest amount of outbound data transactions — over 80%.
The biggest finding was that 91.5% of data transactions performed by IoT devices in corporate networks were unencrypted. As far as devices go, 41% did not use Transport Layer Security (TLS) at all, 41% used TLS only for some connections and only 18% used TLS encryption for all traffic.
Devices that don’t encrypt their connections are susceptible to various types of MitM attacks. An attacker who gained access to the local network — for example through a malware attack — could use Address Resolution Protocol (ARP) spoofing or could compromise a local router and then intercept IoT traffic to deliver malicious updates or to steal credentials and data sent in plain text.
High use of consumer IoT devices on corporate networks
Deepen Desai, VP of security research and operations at Zscaler, tells CSO that one of the worrying observations was that companies have a large amount of consumer-grade IoT devices on their networks. This highlights the problem of shadow IT, where companies have a hard time controlling what electronic devices their employees connect to the network, from wearables to cars.
Organizations should have a solution in place to constantly scan the network and identify such shadow devices and then create a policy where such devices are only allowed to connect to a separate non-critical network segment, Desai says.
That’s because another common problem observed by Zscaler was that most IoT devices are connected to the same network as business-critical applications and systems. If one of the IoT devices is compromised, attackers can then target all other systems.