Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Coming Soon to a Network Near You: More Shadow IoT

Consumer IoT devices will increase the threat to commercial, government, healthcare, educational, and other organizations.

News of former Microsoft head of product Panos Panay’s exit caused a small stir in the tech industry when it was learned he would join Amazon to lead that company’s product division. Closely associated with Microsoft’s Surface line, Panay is now the strategic architect for what Amazon envisions as a “device ecosystem” that today consists of the Alexa, Echo, and Fire TV brands. Precisely what Amazon and Panay have in mind for that ecosystem has yet to be announced, but the cybersecurity community should pay close attention.

Whether industrial, scientific, medical, or consumer, the number of Internet of Things (IoT) devices being developed, produced, sold, and connected to networks is on the rise. Research firm IoT Analytics believes there will be nearly 30 billion IoT devices in use by 2027, more than twice what it estimates were in service just five years ago. Every one of those internet-connected devices are a potential security threat for the enterprises that deploy them. And even if all the devices that Panay’s product team develops for Amazon are meant solely for the consumer market, they will still increase the threat to commercial, government, healthcare, educational, and other organizations. To believe otherwise is simple navieté, and here’s why.

Consumer IoT is Already a Security Problem

Consumer IoT devices are already operating in commercial networks in large numbers, and the ubiquity of consumer IoT operating on commercial networks means it is inevitable that many of those future Amazon ecosystem devices will find their way onto corporate networks, too. Our post-device discovery analysis of connected devices found in commercial environments shows that between 15% and 20% of the total inventory of devices operating were previously unknown to IT and security teams, including things like Kegerators, Ring-type surveillance cameras, and Tesla automobiles.

Sometimes those consumer grade devices have a legitimate purpose for deployment in a commercial network. For example, we’ve discovered Peloton exercise bicycles used in healthcare facilities for patient rehab, and Alexa smart speakers for helping receptionists and others with administrative duties. But we’ve also found things like gaming consoles in a police precinct station sapping bandwidth and IT efficiency. Often these devices operate outside the view of security teams, and since they are not engineered to be managed and secured by IT, they represent a serious security gap that threat actors are all too eager to exploit. In fact, a recent report by Microsoft described “a sophisticated attack campaign” targeting IoT devices.

Amazon’s Success will Compound Security Challenges

Whether they are the point of entry, or used as a pathway for attackers to reach their target, the existence of undiscovered and vulnerable IoT devices already represents a major challenge for security leaders. In May of 2023 Amazon announced it had shipped more than a half-billion Echo devices since introducing the product in 2014. If Amazon’s device ecosystem ambitions include new categories of products that, in aggregate, reach a similar scale and millions of new devices are shipped each year, that will be a problem for security teams. Even a small fraction of those devices that will find their way onto corporate networks will create new and compound existing security challenges for organizations not adequately prepared for the increased risk, especially if they have no way of discovering, monitoring, and ultimately securing those devices.

Amazon’s hiring of Panos Panay and its investment in product innovation is a good thing. As with the success of the Echo and Alexa product families, the popularity of any new devices created under Panay’s leadership will mean that those products–whatever they do–have made our lives better in some way. And because success breeds success, large competitors like Microsoft, Google, Apple will follow suit, and many more smaller innovators will be inspired to create other new and exciting devices.

Amazon’s announcement should be taken as fair warning that enterprise IT networks will soon be even harder to defend. Forward-thinking IT security leaders must ask themselves, “Do I know what devices are on my network now? Do I know where these devices are and what they are doing? Do I know what impact they have on my risk analysis?” The good news is that preparations made today can address the security risks that will come with a flood of new consumer IoT devices.

Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.