‘Shadow IoT’ emerging as cloud security threat

83 percent of IoT transactions are happening over unsecured channels

A report has warned of a troubling surge in unauthorised IoT devices connected to enterprise networks.

US-based cloud security company Zscaler analysed cloud traffic generated by its customers for its latest IoT Traffic report. The company found that “shadow IoT” device traffic is growing rapidly in organisations, “posing new threats and questions about how to best architect enterprise security”.

Smart refrigerators, Teslas, TV set-up-boxes, Wi-Fi memory cards and cameras are among the surprising devices employees are connecting to company cloud networks.

Zscaler said the “the lines have blurred” between company and privately-owned devices and between the workplace and the home.

“In many cases, enterprise IT teams might not even be aware of some of the devices generating IoT traffic, and this new culture of shadow IoT is creating new IoT-based attack vectors for cybercriminals,” reads the report.

Zscaler’s cloud now processes 33 million IoT transactions per day and 1 billion per month. Worryingly, 83 percent of these transactions are taking place over plain text channels.

“The use of plain text is risky, opening traffic to sniffing (for passwords and other data), eavesdropping and man-in-the-middle attacks, and other exploits, which is why it is no longer used for the vast majority of web and application traffic,” reads the report.

A rise in IoT-based malware is accompanying the surge in traffic generated by IoT devices. Zscaler was blocking 2,000 pieces of IoT-based malware per month in May 2019; a number that has increased seven-fold to 14,000 malware attempts blocked per month.

“Attackers are certainly aware of the potential vulnerabilities. In the case of the Mirai botnet of 2016, attackers exploited the fact that consumers rarely change the default password on IP cameras and home routers and launched a denial-of-service attack that took down a big chunk of the internet.”

“And new exploits that target IoT devices are popping up all the time, such as the RIFT botnet, which looks for vulnerabilities in network cameras, IP cameras, DVRs, and home routers.”

To mitigate the threat, Zscaler said IT security teams should focus on gaining visibility into unauthorised devices inside the network and consider putting all IoT devices on a separate network.

It added that companies should also restrict access to IoT devices from external networks, change default usernames and passwords, implement strong password policies and apply regular security and firmware updates.

“Banning devices is not going to be the answer here,” wrote Deepen Desai, VP of security research and director of Zscaler ThreatLabZ. “The answer is changing up the narrative on how we think about IoT devices from a security and risk standpoint, and what expectations we put on manufacturers to increase the security posture of these devices.”

According to IOT Analytics, there were more than 4.7 billion things connected to the internet in 2016. By 2021, that number will increase to more than 11 billion and, by 2025, it is estimated that the number will hit 21 billion.