The shadow Internet of Things – a new risk for financial services

Andrew Hay is director of research at OpenDNS

While IT departments fret about BYOD and Shadow IT, a new security beast lurks on the horizon–the shadow internet of Things. A swarm of consumer devices that nobody considers to be remotely risky – Fitbits, Smart TVs, alarm systems and Nest thermostats, for example–are all connecting to the internet and beaconing out data in different forms. Because these devices don’t look like computers, they aren’t treated like computers, and (as a result) IT departments are often not managing them proactively to ensure that they are secure, writes Andrew Hay .

Consider the use of Smart TVs, frequently being used in meeting rooms to replace overhead projectors. Unlike a traditional projector, Smart TVs are connected to the internet and so are effectively acting as web servers behind the firewall. These devices are being plugged in to sensitive networks, usually without any of the care and due diligence that we treat enterprise appliances.

This is a particular risk for the financial services sector because it is a highly regulated industry that uses extremely sensitive data. Personal financial information is some of the most valuable data for sale on the deep web black market, and stealing client data through techniques such as phishing is a constant threat for IT security teams in the sector. Regulated vertical sectors usually have the strongest security practices in place, but after conducting a survey across several industries, a surprising 23 percent of IT directors admitted having no mitigating controls in place that would prevent someone from connecting unauthorised devices to their company networks.

To bring some factual data to this argument, OpenDNS Security Labs recently published the first data-driven research report to analyse the security risks that the internet of Things presents for the enterprise environment. This analysed anonymised network traffic data from more than 10,000 enterprise networks worldwide during the first three months of 2015. This research, using a test sample of smart devices, found that many devices in use today in business environments are repeatedly using their network connectivity to call home–a behaviour known as “beaconing”–for a variety of reasons.

Smart TVs were found to be among the most talkative devices, and constantly communicate across any available network with corporate domains on a regular basis without user interaction. While there are some legitimate reasons for this happening–such as running updates for apps, checking for system updates and backing up device data–it still poses a risk for the user. Attackers can monitor these devices for network activity and discover usage patterns about its owner. In addition, this type of beaconing also presents an additional attack surface for criminals to target if a device-specific exploit is discovered.

The research also revealed serious vulnerabilities in the infrastructure used to connect these devices to the internet. For example, some brands of Smart TVs were found to be communicating with legacy infrastructure that uses an untrusted security certificate, opening up this avenue of communication to several well-known attacks. In addition, several IoT infrastructures were found to be susceptible to highly publicised and patchable vulnerabilities including Heartbleed, FREAK and POODLE, which means that data or devices connected with these infrastructures could be at risk. This is a real concern, because hackers and data thieves can use a compromised device or network connection to move horizontally into an enterprise’s network.

While this data comes from studying only a sample of the total number of IoT devices believed to be at use in the enterprise, it’s the first research we know of that shines a light on how these appliances are used in business today. In the future, we’d like to expand this research to cover a wider variety of “Shadow IoT” machines to provide even more complete data on the scope of the problem.

The financial services sector is not alone—an alarming number of highly regulated industries show a presence of internet of Things tools and gadgets beaconing out to the internet, including education, healthcare and government. The risk posed by the internet of Things today is still relatively modest, but as these devices grow to define our computing future, the shadow of the internet of Things looms large. It has the potential to become a rich playground for professional hackers—and IT departments must up their game or face the consequences.