BUSINESSES HAVE STRUGGLED for decades with “shadow IT”—printers, laptops, smartphones, cloud services, and more being installed or subscribed to by users without permission or knowledge of an IT admin. In that same vein, users are now connecting smart devices of various kinds to the corporate network, giving rise to the term “shadow IoT.”
It’s a much bigger problem too, according to Zeus Kerravala, principal analyst at ZK Research, "because the scope has broadened. Things you never would have connected before are now connecting." As an example, he cites the Target breach from a few years ago. "The AC system was compromised, and it was on the same network as the point-of-sale system." When the hackers went through the AC system to the POS server, red flags theoretically should have gone up and the AC system should have been immediately quarantined.
The problem, essentially, is “a lack of proper controls and visibility on the part of IT and security staff," says Keven Beaver, principal information security consultant at Principle Logic. Once users connect these systems they’re staying connected and flying under the radar.
Security risks are inevitable, Beaver says. "These devices can have vulnerabilities— unsecure configurations, weak passwords, missing patches, and so on—that can be exploited, leading to the compromise of business systems across the network."
The work-from-home rush as a result of the coronavirus pandemic has made corporate networks somewhat more at risk from shadow IoT, adds Kerravala. "You may have a secure VPN from a user to the corporate network, but that's a dedicated pipe for all the home devices as well. Xboxes, garage door openers, smart ovens, and more could be compromised and become back-door access points to the company."
Securing IoT devices can be tough, says Kerravala, because many are made as low cost as possible and never designed to be secure. They also find and connect to networks with no help from users.
One particular area of concern is healthcare, where IoT devices range from large and expensive, like network-enabled MRI machines, to small and transient ones carried by visitors. "This area really is life and death," Kerravala says. Beyond that, healthcare systems are juicy targets for hackers.
"People think hackers go after credit cards," says Kerravala, "but they really want medical information. If they know your illness they can prey on your hopes with phishing emails." If a family member has cancer, for instance, any email offering a webinar on a new treatment will have a higher click rate. Healthcare IoT devices are often the access point to such information.