Internet of Things (IoT) devices are notorious for their lack of security features, making them attractive to hackers who can use them as soft access points to reach critical systems on the wider corporate network. In addition, these devices may be invisible to corporate IT administrators. For these reasons alone, companies should forbid employees from bringing IoT devices into the workplace.
Now there is yet another reason for concern about the presence of IoT devices in the workplace: state actors like Russia are targeting IoT devices present in high-profile sectors like government, defense, technology, medicine and engineering.
Once an IoT device is penetrated, malware is inserted and a scan is launched to discover other insecure devices. As it discovers more devices, a script is dropped to establish persistence on the network and continue hunting. Infected devices and systems communicate with an external command and control server to receive further instructions.
The most popular operating system used by IoT devices is VxWorks. It powers over 2 billion devices worldwide. As reported by Wired, 11 vulnerabilities have recently been found in VxWorks’ networking protocols, six of which could give an attacker remote device access, and allow a worm to spread the malware to other VxWorks devices around the world. The bugs have been present in most versions of VxWorks going back to version 6.5, released in 2006.
IoT devices are designed to face the Internet and instantly communicate with other devices. Often they are plugged in without the user changing the default factory settings. This is an open invitation to hackers and it can render corporate investments in advanced security tools useless. This situation gets worse over time. If the IT department doesn’t know these devices exist, chances are they will not be patched and maintained, making them easier prey for a much wider universe of newbie hackers bent on doing mischief.
The number of deployed IoT devices currently outnumbers the population of personal computers and mobile phones combined. It is likely that more vulnerabilities will be discovered in these devices. The threat posed by IoT devices far outweighs their convenience. Until they can be proven secure and properly integrated into the IT management scheme, companies can greatly improve their security posture by forbidding them in the workplace and removing them whenever they are found.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.