Devices Putting Your Organization at Risk

In the offices of today’s small and midsize business, you might find a vast array of smart devices, such as printers, cameras, utility sensors and door locks, all of which can communicate with other devices through wireless connections. Even the staff break room is beginning to benefit from next-generation technologies, such as smart refrigerators and smart coffee makers.

Although the internet of things (IoT) has ushered in a wealth of efficiency through connectivity, it has also created millions of new attack surfaces due to weak security design or administrative practices. Not only have devices themselves been attacked and compromised, hackers have used the devices collectively in botnets to launch distributed denial-of-service (DDoS) attacksagainst websites and company networks. The Krebs on Security website, for example, sustained one of the most powerful attacks to date, in which the Mirai malware “zombie-ized” a bevy of IoT devices connected to the internet that were running factory-default usernames and passwords.


Security Risks With IoT Equipment

Many IoT devices weren’t designed with strong, configurable security. Some devices have a hard-coded password that can’t be changed without a firmware update, which may not be available because the vendor simply hasn’t created it or the product is no longer supported. Another potential problem is malware infection of apps that control IoT devices.

David Britton, vice president of industry solutions, fraud and identity at Experian, warns that Universal Plug and Play (UPnP) is a related concern, especially regarding wireless routers.

“Several routers support this auto-connecting capability, and some have UPnP enabled by default,” Britton said. “UPnP allows devices to immediately recognize and connect to a network, and even establish communications with other devices on the network without any human intervention or configuration. The challenge from a security perspective is that there is reduced visibility or control to the administrator as to when those devices come online, or what security permissions they may be invoking.”

Britton also points out that the diverse set of technologies and connection protocols used by IoT devices, such as Wi-Fi, Bluetooth, RFID and ZigBee, present an additional layer of complexity. Each type of connectivity comes with different levels of security and different administrative tools. For small shops that don’t have in-house tech support, trying to stay on top of it all is difficult at best, making them even more vulnerable to attack.