What’s on your corporate network? You could be …


The strangest connected devices will appear, and the threats they pose to security shouldn’t be overlooked.

Incident Response Playbooks are unlikely to have provisions in most organizations for violations caused by Internet-connected teddy bears and exercise equipment – but they may need to do so soon.

A new survey by research firm Vanson Bourne on behalf of Palo Alto Networks found that smart toys and connected exercise equipment are among the many unexpected IoT (Internet of Things) devices appearing on corporate networks around the world.

The survey of 1,350 IT business decision makers in the US and 13 other countries sought to identify current IoT security concerns and threats among business organizations. Among the questions was one that asked respondents to identify the strangest IoT devices connected to their organization’s networks.

An amazing 44% said they saw wearable medical devices. 43% said they had come across kettles, coffee makers, and other attached kitchen appliances. 38% said the same for IP-enabled exercise equipment, including skipping ropes and weights; 34% said smart toys; and 27% said smart vehicles. Other responses included hand washing machines, smart trash cans – and in one case aircraft engines. Worryingly, some respondents indicated that they also see such devices in industrial and operational technical environments.

“IoT devices are often plugged into corporate networks to help employees get things done or manage personal tasks,” said May Wang, senior engineer at Palo Alto Networks. IoT devices are brought in not only by IT departments, but also by various functional groups such as facilities, operations, finance and procurement teams, and even individual employees, she says.

Innocent of what the presence of such devices on a corporate network may seem, they pose a risk that should not be ignored, analysts have found. In the past few years, there have been several reports of attackers hacking into IP-enabled surveillance cameras like Amazon’s ring doorbell camera, smart lightbulbs, smart speakers like the Amazon Echo, and smart fax machines. The first known IoT botnet – Mirai – was actually composed entirely of weakly protected network devices such as home routers and IP cameras.

Attacks on IoT devices have also increased. A survey conducted by Irdeto in August 2019 found that 80% of IoT devices manufactured or used by a company have been exposed to a cyber attack. Ninety percent had negative impacts including operational disruptions, data loss, and end-user security issues.

“Devices that innocently integrate employees into a company’s network are often not designed for security and can be a simple gateway to a company’s most important information and systems,” says Wang.

In addition to compromising the IoT devices, attackers can use them as a stepping stone to move sideways to attack other systems on a network.

“We’re seeing a large number of network, IP, port, and vulnerability scans on networks trying to identify other devices and systems and looking for targets for the next step in the sideways movement,” says Wang.

In one case, researchers from Palo Alto Networks’ Unit 42 threat intelligence group found a variant of Gafgyt malware that targets more than 32,000 potentially vulnerable small office and home WiFi routers in order to carry out a botnet attack against online gaming servers, Wang said .

The survey results confirm what is already known about the current state of IoT security.

“In our research lab, for example, we were able to hack infusion pumps, routers and IP cameras, which are among the most vulnerable types of IoT devices in companies,” says Wang.

A problem that got worse
Such problems could soon get worse. Almost nine in ten (89%) of IT decision makers in Palo Alto Networks’ survey said that over the past year there has been an increase in the number of IoT devices on their networks, many of which are not business related. 35 percent described the increase as significant.

Such proliferation of IoT devices has started to change the threat profile in many organizations. According to research, around 57% of installed IoT devices are susceptible to attacks with moderate to severe consequences, according to Palo Alto Networks.

The survey also shows that many organizations are unprepared for the threat. For example, only 21% of IT executives in the survey said their organizations have implemented best practices like microsegmentation to keep IoT devices separate from the rest of the corporate network. Security professionals have long considered segmentation to be essential to ensure that attacks on IoT devices and environments do not propagate onto the corporate network

More than half (58%) of respondents said they either need to significantly improve their approach to IoT security or they need to completely redesign it. More respondents representing midsize businesses said their businesses require a complete IoT security overhaul than those in large and small businesses.

According to Wang, companies can take several steps to reduce the risk of IoT security threats. The first step should be to provide insight into the exact number and type of devices on the network and to keep an updated inventory of all connected IoT assets.

Organizations should also consider implementing real-time monitoring of the IoT network and adding network segmentation to reduce the attack surface.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in specialized IT journalism. Most recently, he was Senior Editor at Computerworld, where he dealt with information security and data protection issues for publication. Over the course of his 20 year … View Full Bio

Recommended literature:

More insights