How You Might Attack Your Company Network With Shadow IoT
There are a lot of cool and interesting gadgets within the Internet of Things (IoT), but many of them don’t have proper security installed. This creates a problem called “shadow IoT,” where users may unknowingly allow hackers to break into corporate networks.
Let’s explore what “shadow IoT” is, and how you may be adding to the problem.
What Is Shadow IoT?
Shadow IoT sounds like an illegal market for smart home devices, but the reality is a little scarier. It’s when users introduce devices onto a business’ network without telling anyone about it.
A business needs to know what’s connected to their networks. The company needs to protect its assets from security breaches, so they need to keep a close eye on what’s connecting to prevent hackers from gaining access.
A decade or two ago, this was easy. The company network only featured the workstations around the office, so there was no real fear of outside devices being brought in.
These days, however, employees will often bring their own devices to the office and attach them to the company network. This includes smartphones, personal laptops, fitness trackers, and even portable consoles for break time.
Now the network admin has a bigger problem. People can bring in devices from outside and hook them up to the network without the admin knowing. This opens the door for attacks to take place from unknown sources.
How Bad Is the Shadow IoT Problem?
Of course, this threat only applies if employees are actually bringing devices onto company property. If nobody is, the shadow IoT problem solves itself. So, how many devices are “sneaking” onto the network without the network administrator knowing?
To answer this, let’s take a look at Infoblox’s report, “What’s Lurking in the Shadows 2020.” This report aims to figure out how many shadow IoT devices are on a company’s network, and which countries have the largest amount of them.
The report asked companies in different countries to locate shadow IoT devices on their network. On average, 20 percent of these companies found nothing. 46 percent found between 1-20 unknown devices, and 29 percent found between 21-50 devices. A tiny fragment found over 50 devices using their network that they didn’t know of before.
Why Is Shadow IoT a Problem?
So, why is it bad that employees are bringing their own devices to work? Why does it matter that there are “hidden” devices on the network?
The main problem is that there’s no guarantee that these “hidden” devices are properly secured. Badly-made IoT devices will have multiple security flaws ripe for exploiting. As a result, if a virus has snuck onto one of these devices, it may spread when connected to a network.
Not only that, but these devices often keep a connection open in case a user or service wants to access it. The end result is an insecure device that keeps its doors open for connections; a hacker’s dream.
When an employee puts an exploitable device on the company network, it creates an entry point for a hacker. Hackers are always scanning the internet for open ports, and if they find the employee’s insecure device, they may try to break into it.
If a hacker manages to get into an employee’s device, they can use it as a stepping stone to launch attacks on the company’s internal network. If this succeeds, the hacker is then in a strong position to distribute ransomware, access restricted information, or cause damage.
Which IoT Devices Are Safe to Use?
The big problem with IoT devices is that none of them are truly “harmless” to a network. As hackers have proved over time, if it can connect to the internet, it can be hacked, no matter how simple the device is.
For example, it’s easy to imagine what a hacker can do with a home CCTV system. However, a simple device like a smart bulb has to be safe. After all, what could a hacker do with a smart bulb?
As it turns out, they can do quite a lot. A recent study showed that Philips Hue bulbs could be used to launch an attack on a home network. As a result, this hack proved that an IoT device can’t be truly unhackable; the world just finds a better hacker.
This isn’t the first time that a hacker exploited a “too simple to hack” IoT device. A casino suffered a hacking attack where intruders got their hands on the high rollers database. The hacker’s entry point was an aquarium thermometer in the lobby.
There are plenty more scary IoT hack stories out there that show how hackers can exploit anything with an internet connection.
What Can You Do About Shadow IoT?
The best way to tackle shadow IoT is to not follow the IoT craze. While an internet-connected toaster may sound novel and fun, it creates another point of entry for a hacker to get onto your network. As such, it’s best to stick with “dumb” devices; it’s harder for a hacker to crack a device if it’s offline!
If you can’t live without an IoT device, you can put it on mobile data instead. If the device can’t connect to mobile data, turn your phone into a hotspot and connect the device to it. By moving the device off of your company’s network, it’s no longer a security threat.
When back home, use a separate network for your IoT devices, keeping your private PCs and phones on your primary one. If you do, your home devices are safe on your main network where an IoT hacker can’t get them. You may not need to purchase a new router; just create a guest network on your current one and put your IoT devices on it.
If you’re an employer or business owner, look into using another network for employee phones and gadgets. If you do this, any hackers that break into your employee’s devices can’t reach your main network where the sensitive data is.
Illuminating the Problems With Shadow IoT
IoT devices, by themselves, can be very dangerous. When an always-online design pairs with flawed security, it creates a hacker’s dream and a network manager’s nightmare. Fortunately, you can do your part by keeping IoT devices off of the main networks, whether you’re at work or relaxing at home.
If you’d like to learn how insecure IoT devices can be, check out these common IoT security issues and fixes .
Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.