A significant amount of network traffic from Internet of Things (IoT) devices on corporate networks transmit in plaintext and without basic security measures, according to a new report from security company Zscaler.
Of the IoT traffic observed, 83 percent of transmissions were made in plaintext, while only 17 percent used SSL to secure the information.
No devices appeared to transmit only over SSL or only in plaintext; they all used a mix of the two.
The report comes from Zscaler’s ThreatLabZ using data from the Zscaler cloud.
As such, it doesn’t represent the entirety of all internet traffic, just that which uses the Zscaler cloud, or about 33 million IoT transactions per day.
“The analysis showed that some devices are not following proper security practices, which makes them vulnerable to crafted attacks,” according to Zscaler, which outlined four of the most common security issues it observed:
- Plaintext HTTP communication to servers for firmware or package updates
- Plaintext HTTP authentication
- Use of outdated libraries
- Weak or default credentials
“The use of plain text is risky, opening traffic to sniffing (for passwords and other data), eavesdropping and man-in-the-middle attacks, and other exploits, which is why it is no longer used for the vast majority of web and application traffic.”
Careful readers will recognize these issues from many other attacks.
The Mirai botnet, for example, was extremely successful by targeting specific IoT devices with preset credentials.
The good news is that the vast majority of the traffic Zscaler observed is normal enterprise traffic, such as data collection terminals, digital signage media players, industrial control devices, medical devices, networking devices, payment terminals, and printers.
Zscaler also found some unauthorized IoT traffic, such as digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smartwatches, and even automotive multimedia systems.
“The lines between company-issued and privately owned devices has blurred greatly and while one can deduce that an automotive multimedia system is not authorized, it is more difficult to determine whether traffic driven by the many other devices identified in this report are authorized or not,” said Deepen Desai, VP of Security Research at Zscaler.
“IT teams need better visibility into their infrastructure so they are able to see what IoT devices are accessing their networks and determine which should be there and which should not.”
Recommended by Our Editors
This increasing threat was mirrored in Zscaler’s report.
The company blocked 2,000 pieces of IoT malware in May 2019 but now blocks 14,000 per month.
To secure corporate networks, Zscaler recommends IT departments get a handle on the unauthorized IoT devices making their way onto corporate networks.
The company also advises changing default credentials on known IoT devices—such as a smart TVs used for video meetings—applying frequent updates, and restricting access to IoT devices on external networks, such as an employee’s home security camera.
Zscaler also recommends putting IoT devices on a separate network.
That way, if a bad guy is able to worm their way into an IoT device, they won’t get to critical systems.
While IoT devices have allowed consumers to yell at their TVs to change the channel and ask Alexa how many angels can dance on the head of a pin, they’ve also become a target for attackers.
IoT malware is sometimes harder to spot and fix than PC malware, because these devices sometimes do not have user accessible interfaces and cannot run antivirus software.