Let’s Shine a Light on Shadow IoT Devices in Corporate Networks

December 9, 2020 - 7 minutes read

As the Internet of Things (IoT) applications grow in each industry to encompass a variety of applications and business types, we are seeing the cybersecurity implications of this expansion become more amplified and apparent. More and more employees are purchasing and connecting new IoT devices every year, and you might be surprised to learn that even a new cell phone counts as an IoT device if you connect it to your company’s corporate network. Although this may seem innocent enough, increasing the amount of IoT devices on a corporate network actually weakens the network with every new device connected.

The result is a network that’s open to potential malicious behavior from hackers, competitors, and other third-parties. To protect against the lowered security that shadow IoT devices bring into the network, read on.

What Are Shadow IoT Devices?

Shadow IoT devices are those connected to a corporate network without a real purpose to the overall IoT system. Without IT knowing, many employees add their devices to the corporate network to quickly check their personal messages or emails. Often, shadow devices can take the form of fitness trackers or digital assistants. The employees who connect shadow devices are not being malicious; in fact, they’re usually doing it to help them do their job or for personal convenience, and most don’t have the understanding that adding the personal device is risking the whole network.

Unfortunately, the majority of shadow devices are not secure by design, and they’re certainly not robust enough to meet corporate security standards. Shadow devices are often created with the home network in mind. For example, IoT researchers at Kudelski Group have broken down hundreds of devices every year to their hardware and computing chips to analyze the hardware and firmware of each device.

This in-depth research has shown that every single device opened up had identifiable security vulnerabilities and flaws that increased the risk of attack and compromise. Some examples of avoidable issues were weak device passwords, lack of data encryption, and outdated software. Although many of the devices examined had built-in security measures in their hardware and firmware, most of them had failed to implement the security protocols.

Because most shadow IoT devices are consumer-oriented IoT devices, the long-term security strategy in these devices was obviously an afterthought. However, these types of devices can be easily compromised remotely, so manufacturers will need to start stepping up their cybersecurity measures in new devices, as well as roll-out patches for older devices.

Preventing Cybersecurity Attacks

Insecure devices are a great and convenient way for attackers to gain control over a corporate network. Because shadow devices usually don’t have a different username-password combination from the default one that came with the device, attackers can quickly jump into a network without a lot of effort. Once the attacker is in, the network is in trouble; the hacker can make their actions look normal until they’re ready to reveal themselves. They can move laterally through the network, launch attacks from inside the organization, and find private and sensitive corporate information without raising any alarm.

One major hack, the Mirai botnet, took down company websites from San Francisco to China. It’s easy to list off what’s so terrible about shadow IoT devices, but it’s imperative to know what steps to take to prevent these devices from compromising your corporate network. Firstly, companies should be aware of what shadow IoT devices are and ask their employees to limit what they connect to the company’s network.

Secondly, enterprises should know exactly what devices are connected to the network and why. By keeping track of new devices as well as long-standing shadow devices in the network, it is easier to pinpoint the cause of the problem if something does happen later on. Additionally, the consolidation of all devices into a list will elucidate if the company needs a more preventative or remediation approach to shadow IoT devices. Ideally, an organization would have started with effective management of security in the first place, but that’s not a realistic notion for most companies.

Thirdly, companies should place pressure on device manufacturers to use stronger security by design in each device. Lastly, organizations should take the time to develop and apply a policy-based strategy for security around shadow IoT devices. This includes isolating or blocking unknown IoT and IT devices that want to connect to the corporate network. It may also look like a case-by-case approach in approving devices to join the network after checking the specific device’s risk level to the network. On the other hand, corporations might consider providing a separate network just for shadow devices to connect to.

IoT app development

What You Can Do Today

It’s important to put pressure on consumer-grade device manufacturers to upgrade the security on new devices, as well as force an update on previously-sold devices. Not only is the short-term security necessary, but device manufacturers should also be thinking about the device’s security strategy for the entire lifecycle of the device. Consumers should increase the pressure by voicing the importance of security for their home networks and their private information.

By protecting the consumer and their personal or home network, we can help protect corporate networks more easily. This will eventually result in protection for stakeholders in every part of the value chain: company networks, consumer information, and the manufacturer. Have you connected any of your personal devices to your employer’s network? Would you reconsider connecting a new device after what you’ve learned from this post? Let us know what you think in the comments below!

Tags: , , , , , , , , , , , , , , ,