Less than a decade after the establishment of the TCP/IP protocol, enterprising engineers at Carnegie Mellon decided it was a good idea to give their local vending machine access to the Internet. That first “thing” connected to the Internet started a slow burn that has turned into an absolute conflagration.
Sometime in 2009 the “things” on the internet started to outnumber people, and the future will include trillions of dollars in investment in IoT. IoT devices have made many facets of modern living easier (though we might question the value of an internet enabled toaster), but they have also increased the potential for attacks.
Every connected device contains possible flawed software, and because many of these devices are connected to critical devices (in-home cameras and door locks), they represent an outsized potential for damage. Outside IoT specific attacks, insecure IoT devices can be co-opted for more traditional attacks such as the use of the Mirai botnet for distributed denial of service.
These problems are exacerbated because it seems like security for these devices is even more of an afterthought than it is in other software. Toss in an inability to easily patch vulnerable software and less than stellar long term support and it’s obvious that any assessment of the security risk of an organization should contain an evaluation of IoT devices.
That’s exactly what we will explore in this series of blog posts, examine how IoT affects the risk surface of organizations. We italicize that to emphasize that this isn’t a study of home-based devices, as is typical for IoT research. As we’ve done when examining up-to-date TLS deployment and unsafe services, we’ll examine the prevalence of IoT devices within organizations, what types of devices we see, and how the presence of insecure IoT devices can correlate with other types of problems. We examine RiskRecon’s dataset of millions of hosts controlled by more than 35k organizations.
Download our IoT device study to get the full details on our research or stay tuned to our blog for upcoming posts in this series.