OpenDNS Report Details the Enterprise Risk of IoT

This week OpenDNS released a report on the Internet of Things and Enterprise security. I found this report to be one of the most thorough, yet troubling, to date. I wanted to use this blog to summarize the findings and provide some context in which Enterprises can approach safety and the Internet of Things.

The report highlights a number of key areas. The first of which most companies are already aware of - the IoT will introduce new avenues of exploitation for all sectors of business. Perhaps one of the most troubling points in the survey was that of the 500 IT environments surveyed, 23% reported having no controls around IoT devices connecting to the network. I would argue that even of the 77% who claim to, in practice have no ability to enforce these  controls. This is a catastrophe waiting to happen in some of the world’s most sensitive verticals. The report specifically calls our higher education, managed services and the highly regulated healthcare industry as the most connected companies it observed.

In looking at healthcare for instance, the report revisited the Samsung Smart TV, which was the subject of a blog that I wrote a couple of months ago. Samsung’s Smart TV privacy policy indicated that the TV was constantly monitoring voice activity and transmitting this information to a third party. While this function can be turned off, it’s unlikely that many companies do it. After all, it negates the point of a SmartTV. OpenDNS decided to test the TV; their results found that the TV was beaconing even when not in use so long as it was powered on. To add fuel to the fire, the TV also beacons to a domain using an untrusted certificate, which the report notes has no logical use case. While the research didn’t find anything inherently malicious about the TV’s beaconing, it’s important to note that this is just additional information for hackers to monitor use. Likewise, these TV’s have a microphone and a web interface, making them a perfect - dare I say easy - attack for a targeted hacker.

Andrew Hay, the report’s writer, also went on to explore the number of consumer devices entering and connecting to the corporate infrastructure. While they removed the data from FitBit’s for the purpose of the report, OpenDNS notes that the majority of the 70B daily Internet requests that it examined from Enterprise companies came from not just TV’s, but from consumer products like FitBit, Nest, and Western Digital’s cloud service. These types of consumer services are keeping company in what OpenDNS called “Bad Internet Neighborhoods.” According to Hay, these IoT devices are being hosted in environments that also house malicious domains and some are even susceptible to vulnerabilities such as Heartbleed and FREAK.

Of course, these problems will only perpetuate as IT departments struggle to identify these holes in their environment. And even once detected, some of the vulnerabilities remain outside of IT control. Patching, for instance, isn’t feasible with consumer devices. And especially in healthcare, many of these IoT devices were never designed to receive patches.

IoT is in the enterprise, and it’s penetrating deeper into the most sensitive verticals. DNS is an excellent instrument to identify the existence of devices and monitor them for malicious behavior; perhaps the important first step is in the detection of these devices and a layered approach to this detection and security. Finally, Hay recommends that Enterprise companies move beyond BYOD and develop a comprehensive IoT policy for employees. Of course, with the majority of new employees entering the workforce being accustomed to an “always on” lifestyle, policies will be disregarded. The main takeaway from the report lies in the data. This is a great instrument for CISO’s to take to the boardroom to reinforce the need for continued investment in IT security.