But Harrington noted that there are IoT devices mainly aimed at the consumer market that are common in enterprises as well.
“The prime example is the smart TV,” he said. “You can’t walk into a conference room without seeing a large monitor for presentations or conferences. They’re generally the same things that a consumer would buy.
“And what’s compelling is that TVs have a tremendous amount of computational power. Adversaries like that because it enables them to do a lot of things,” he said.
To avoid getting burned by IoT vulnerabilities, the panelists said IT departments need to know what is connected to their internal environment. Right now they frequently don’t.
Baxley, whose firm uses a software-defined radio sensor to scan for radio-enabled IoT devices on a network, told of a job his firm did for a major credit processing company, where the director of IT security, “was sure that the data center would be free of unknown wireless. It was very secure – even the employees were escorted in.
“But as soon as we turned on the sensors, we saw that all the HVAC units were beaconing ZigBee (a short-range wireless protocol) – you could clearly see them on the UI,” he said.
“Theoretically you could ‘talk’ to them from the parking lot, which makes it an interesting attack vector.”
Baxley added that the newer, cheaper, wireless protocols on the market have a much longer range, which would allow attackers to operate from farther away. “Now I don’t have to be 200 meters away, I could be two kilometers away to talk to it and mess with it (a device),” he said.
The panelists stressed that the risk is not so much that an individual device is compromised, but that it provides a gateway to the network. Harrington called them “stepping stone” attacks.
“Even a modestly sophisticated attack is not after the end victim directly,” he said. “The proverbial question is that if someone hacks my light bulb, who really cares? But what it means is that it is a pivot point into the network. You find the weakest link in a trust chain and then leverage trust or access to get to the final victim.”
And, as security experts have been saying for years, IoT devices are rarely designed with security in mind. The third panelist, Drew Fry, manager of PwC’s Cyber Threat Detection and Response practice, noted that, “the development cycle – the time engineers have to design and develop the chips, select the protocols and then go to market – is so insignificant that to stay competitive, they are going to the easiest, most vulnerable thing. Not because they don’t care but because it works. It’s easy to make Telnet work. It’s easy to use built-in, default root passwords,” he said.
Sign up for Computerworld eNewsletters.