Why consumer IoT security is now a business problem

A businesswoman working from home and smiling at a smart speaker
(Image credit: Shutterstock)

This article originally appeared in Issue 10 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.

Given the recent shift to mass remote working, the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums. While these devices have allowed us to automate everyday tasks and, ultimately, become more productive, they’re also becoming a growing headache for businesses.

Although normally these consumer-facing devices wouldn’t be a major worry for CISOs, they’re quickly becoming a concern. As a result of the ongoing COVID-19 pandemic, and the UK government’s recent u-turn on remote working guidance, employees are using their household Wi-Fi more than ever to log onto work computers and carry out sensitive tasks. This is, in most cases, the same network that these Internet of Things (IoT) devices are also connected to, and that could be leaving corporate networks vulnerable.

“The networks and security tools staff use at home are likely to be far less secure than those in the office and IoT devices add an extra layer of complexity,” Jamie Akhtar, CEO and co-founder of CyberSmart, tells IT Pro. “Home office networks are 3.5 times more likely than corporate networks to be infected by malware. There may even be a psychological element to this; 52% of employees believe they can get away with riskier behaviour when working from home.”

Shadow IoT

According to Statista, consumer electronics will account for 63% of all installed IoT units in 2020. Given our homes now double-up as our places of work, these innocuous devices are beginning to infiltrate corporate networks. Recent research from Palo Alto Networks revealed, for example, that a staggering nine in ten UK businesses reported a rise in the number of IoT devices connecting to their networks over the last year.

While, on the face of it, this doesn’t appear overly problematic, when you consider the security problems that surround the Internet of Things (IoT) the danger becomes more clear. Cyber attacks against these innocent-looking devices are on the up (research from F-Secure reveals a 300% increase in 2019), and these attacks can have devastating effects; take, for example, the infamous Mirai botnet, which was designed to exploit vulnerable IoT devices and crippled several high-profile services back in 2017.

What’s more, research shows that 15% of IoT device owners still use default passwords, so chances are high that most businesses have at least one employee with a vulnerable device.

Larry Trowell, principal security consultant at Synopsys, comments: “While you may think ‘what information could anyone possibly get from attacking my coffee machine?’, if it’s on the same network as your home or work laptop, then the answer is ‘quite a lot.’ A perfect example happened in 2018 when a Las Vegas casino was breached by way of a smart thermostat which had been added to the secure network. This allowed hackers to access the main systems using the thermostat as the access point.

“Any one of these devices could be used as an access point for an attacker wanting to gain access to your home network and through it, potentially, also the network of your employer.”

Lou Morentín, VP of compliance and risk management at Cerberus Sentinel, sounds a similar warning. “Users working from home are likely going to be connected to their home Wi-Fi and internet connections,” he says. “The security of these networks is often much less comprehensive than a corporate environment and can open the remote worker’s computer and data sent over the network to attack. Many homes have ‘smart appliances’ or other IoT devices that are regularly compromised at scale by cybercriminals.

“Attackers could leverage the advantage of being on the same network as the remote worker with attacks that would normally require them to have already compromised a computer network such as ARP spoofing, name resolution poisoning or other man-in-the-middle techniques.”

Fixing the IoT problem

Although IT and security teams are currently focused on adapting their software and infrastructure to cope with the fact the majority, if not all, of their employees are now working from home, the issue of IoT security often isn’t at the forefront – nor was it prior to the pandemic.

RELATED RESOURCE

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

FREE DOWNLOAD

Research from the Neustar International Security Council found that 48% of organisations had been the victim of an IoT cyber attack in 2020, with just over a quarter (27%) feeling ‘very confident’ that they would know how to respond to such an attack.

Rodney Joffe, senior vice president and senior technologist and fellow at Neustar, warns: “Solving this problem, then, is not as simple as enterprises may have first thought. To guard against the risk of being breached as a result of consumer IoT devices being compromised, businesses should ensure they have a considered, up-to-date and always-on security strategy in place that takes into account the full range of IoT devices connected to a network.

“In addition, educating the workforce on the cyber threats stemming from at-home smart devices and the importance of best practice cyber security behaviour is crucial. This should include encouraging employees to change passwords on all devices as soon as they are brought into their homes.”

This latter point is echoed by Ori Bach, CEO at TrapX Security, who says employee education is the most important step you can take to prevent cyber attacks in the remote workforce.

“If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow and adhere to the fundamentals of cyber hygiene,” he says. “If businesses don’t have a remote working security policy, it's time to draft one.”

Another step employees can take is to isolate these devices from their main Wi-Fi network, which is now often being used to carry out sensitive tasks. Trowell advises: “The most practical method of isolating these two systems is to use the guest network to host such secondary network-enabled devices. The guest network typically doesn’t allow access to unknown devices in your home by default; however, it can be configured to block unrecognised devices from connecting to the network.”

Some, however, don’t believe there’s a problem to be fixed. Pascal Geenens, director of threat intelligence at Radware, tells IT Pro that the threat of data breaches and intrusions is much bigger than the threat landscape created by IoT.

“Many of the smart home devices such as thermostats and coffee machines require physical proximity to perform the hacks that have been discovered by researchers. Whereas the attacks on enterprise VPNs and remote access protocols can be performed from the internet. And the internet has no borders or boundaries,” he says. “IoT is still a large threat surface, but mostly for DDoS and other malicious activities that can leverage a distributed army of bots.”

Carly Page

Carly Page is a freelance technology journalist, editor and copywriter specialising in cyber security, B2B, and consumer technology. She has more than a decade of experience in the industry and has written for a range of publications including Forbes, IT Pro, the Metro, TechRadar, TechCrunch, TES, and WIRED, as well as offering copywriting and consultancy services. 

Prior to entering the weird and wonderful world of freelance journalism, Carly served as editor of tech tabloid The INQUIRER from 2012 and 2019. She is also a graduate of the University of Lincoln, where she earned a degree in journalism.

You can check out Carly's ramblings (and her dog) on Twitter, or email her at hello@carlypagewrites.co.uk.