The Internet of Things (IoT) is in its infancy but already there are signs that we’re nonchalantly mucking up the security without a by or leave. For consumers and enterprises alike the IoT remains pretty much invisible but it’s out there opening a billion tiny data pipes from a swarm of unremarkable devices nobody thinks as remotely risky – Fitbits, smart TVs, home security and thermostats, alarm systems, health monitoring, even NAS hard drives sitting on home and business networks. (See also: What is the Internet of Things?)
They all connect to the Internet, ‘beacon’ data in different forms, and it’s a certainty that barely any of them are managed by IT departments. They don’t look like computers so people don’t treat them like computers. Researchers warn about IoT security and most people shrug – it’s tomorrow’s problem perhaps.
A new report by security firm OpenDNS has done some useful detective work on this unfolding mini-beast and what its head researcher Andrew Hay has come back with makes intriguing reading. Using data culled from the firm’s DNS resolution system that handles 70 billion requests per day, the company is in a perfect location to see what is connecting to what and from where.
It turns out that silently, unseen, IoT devices are popping up everywhere like a digital plague, including inside every business sector there is a name for, particularly education, healthcare, managed services, electronics, energy, manufacturing and government. OpenDNS anonymously plotted 561,816 IoT IP addresses, of which 68,044 were inside enterprises, with the device makers creating the most 'suspicious' traffic in the top 30 being Samsung, NEST, Fitbit, Dropcam, Axeda and Logitech.
Hay calls it the ‘shadow Internet of Things’, a catchy label that perfectly describes the near invisibility of this world.
Samsung TVs of the sort common in company boardrooms seem to be particularly ‘talkative’ happily communicating across any available network with corporate domains on a regular basis without user interaction – including in one instance to a server without a valid certificate, OpenDNS discovered. In other cases, IoT infrastructure used by devices was found to be vulnerable to major flaws such as Heartbleed or Poodle which would be a technical detail if a lof of the infrastructure wasn't already such a low priority to its makers.
But nobody thinks about smart TVs as being a security risk even if researchers have already pointed to the hackability of this class of device in recent times. Worse, Western Digital cloud drives were found to be transferring data to the cloud in heavily regulated organisations whose T departments would surely not approve.
“This report shows conclusively that IoT devices are making their way into our corporate networks, but are not up to the same security standards to which we hold enterprise endpoints or infrastructure,” said Hay.
“Our hope is that by using this report, security professionals and researchers can better understand the security implications of the IoT devices in their own environments.”
The scale of what OpenDNS's study has unwrapped suggests that nobody apart from a few researchers is paying a blind bit of attention to any of this. These devices are free to communicate with more or less whatever resource they want from inside networks across the globe. The extraordinary thing is that the IoT is a new technology and can't use the legacy excuse. If makers have left security off the development list it's hard to understand why.
Today, the risk from this is modest but as these devices grow to define a computing future in which untended proprietary systems become the norm, the shadow Internet of Things is bound to become a rich playground for those who break into networks as a profession. Vendors and IT departments must find a way of making their job a lot harder.