Internet of Things (IoT) devices are prevalent in highly regulated industries, and the infrastructure supporting those devices is vulnerable to security flaws, a new study found.
OpenDNS released “The 2015 Internet of Things in the Enterprise Report,” a global data-driven security assessment of IoT devices and infrastructure found in businesses.
Using data from the billions of Internet requests routed through OpenDNS’s global network daily, the report details the scale to which IoT devices are in enterprise environments and uncovers specific security risks associated with those devices.
Authored by Director of Security Research Andrew Hay, the report includes:
• IoT devices are actively penetrating some of the world’s most regulated industries including healthcare, energy infrastructure, government, financial services, and retail.
• There are three principal risks IoT devices present to the enterprise: IoT devices introduce new avenues for potential remote exploitation of enterprise networks; the infrastructure used to enable IoT devices is beyond the user and IT’s control; and IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched.
• Some networks hosting IoT data are susceptible to highly-publicized and patchable vulnerabilities such as FREAK and Heartbleed.
• Highly prominent technology vendors are operating their IoT platforms in known “bad Internet neighborhoods,” which places their users at risk.
• Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon out to servers in the U.S., Asia, and Europe – even when not in use.
• Though traditionally thought of as local storage devices, Western Digital cloud-enabled hard drives are now some of the most prevalent IoT endpoints observed. These devices are actively transferring data to insecure cloud servers.
• A survey of more than 500 IT and security professionals found 23 percent of respondents have no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s networks.
“This report shows conclusively that IoT devices are making their way into our corporate networks, but are not up to the same security standards to which we hold enterprise endpoints or infrastructure,” Hay said. “Our hope is that by using this report, security professionals and researchers can better understand the security implications of the IoT devices in their own environments.”
Click here to register for the report.