The Internet of Things is here. By here, I mean in your home, in your car — and perhaps in your office, too. Many of the Internet-connected products revolutionizing the home also have applications in the workplace.
The danger is that these products will create shadowy networks of their own, making it difficult for administrators to manage their environments effectively, and increasing your company’s attack surface. How bad is the problem, and what can you do about it?
A Nest thermostat is just at home in your workplace as it is at home. Indeed, there’s even a “business” option you can set during its configuration process. Philips Hue light bulbs, with their cool lighting temperature adjustments, were pretty much made for trendy creative workspaces. Then, there are connected cameras, smart TVs that double as presentation devices, and maybe even your smart office fridge.
This might be cool for employees, but it’s going to create a headache for the people who keep the IT infrastructure running smoothly, warned James Arlen, director of risk advisory services at consulting firm Leviathan Security Group.
“Anything that’s cool at home ends up in the office,” he said. “The problem is that these things aren’t designed for commercial environments.”
What kinds of problems will these devices present when they’re connected in the workplace? Your internal network may be streamlined and controlled now, but that may fall apart as the IoT finds its way in.
“You’re putting these devices into an environment that isn’t prepared for them and isn’t structured for them,” warned Arlen. “More than that, these things are setting up their own networks.”
Those networks may be based on traditional Wi-Fi, but they could also be using other radio transmission frequencies and protocols, such as the Zigbee standard designed to connect lights and sensors or Bluetooth LE. They are also likely to be using IPv6 rather than IPv4.
IoT security is often appallingly poor. Devices ship with default usernames and passwords, and then connect to your network, creating new points of vulnerability.
Seemingly innocuous devices can be manipulated in unexpected ways to divulge your tech secrets. In October, penetration testers found that an Internet-connected kettle (the iKettle) was vulnerable to attack. The device, which can be switched on using a smartphone, connects to a company’s wireless network. An attacker can force it to reconnect to their own rogue access point and then divulge the office network’s wireless key. That can get a company into a whole lot of hot water.
What to do about it
Administrators should be able to tell what devices are trying to connect to their network, and ideally ensure that they have to be authorized before joining the network. That’s a tough task as companies get larger, and many may find it too complicated.
Another approach involves segmenting the network, so that IoT devices have their own “demilitarized zone” in which to play, separate from other systems.
At the very least, administrators should ensure that they’re up to speed on administering and securing IPv6 networks. Even if you’ve been resisting IPv6 with your authorized devices, you’re probably going to be forced down that road by the uninvited guests vying for a slot on your wireless infrastructure.
You may only just be starting to see IoT activity on your network now, but make no mistake: it’s the latest development in a longer narrative that meshes consumer and corporate computing together.
We’ve already seen users bringing their own tablets and smartphones into work, and setting up their own accounts on consumer cloud services to help them with business tasks. The IoT is the next phase in this story, and it would benefit you to get out in front of the challenge.
Image courtesy of Free Digital Photos