News of former Microsoft head of product Panos Panay’s exit caused a small stir in the tech industry when it was learned he would join Amazon to lead that company’s product division. Closely associated with Microsoft’s Surface line, Panay is now the strategic architect for what Amazon envisions as a “device ecosystem” that today consists of the Alexa, Echo, and Fire TV brands. Precisely what Amazon and Panay have in mind for that ecosystem has yet to be announced, but the cybersecurity community should pay close attention.
Whether industrial, scientific, medical, or consumer, the number of Internet of Things (IoT) devices being developed, produced, sold, and connected to networks is on the rise. Research firm IoT Analytics believes there will be nearly 30 billion IoT devices in use by 2027, more than twice what it estimates were in service just five years ago. Every one of those internet-connected devices are a potential security threat for the enterprises that deploy them. And even if all the devices that Panay’s product team develops for Amazon are meant solely for the consumer market, they will still increase the threat to commercial, government, healthcare, educational, and other organizations. To believe otherwise is simple navieté, and here’s why.
Consumer IoT devices are already operating in commercial networks in large numbers, and the ubiquity of consumer IoT operating on commercial networks means it is inevitable that many of those future Amazon ecosystem devices will find their way onto corporate networks, too. Our post-device discovery analysis of connected devices found in commercial environments shows that between 15% and 20% of the total inventory of devices operating were previously unknown to IT and security teams, including things like Kegerators, Ring-type surveillance cameras, and Tesla automobiles.
Sometimes those consumer grade devices have a legitimate purpose for deployment in a commercial network. For example, we’ve discovered Peloton exercise bicycles used in healthcare facilities for patient rehab, and Alexa smart speakers for helping receptionists and others with administrative duties. But we’ve also found things like gaming consoles in a police precinct station sapping bandwidth and IT efficiency. Often these devices operate outside the view of security teams, and since they are not engineered to be managed and secured by IT, they represent a serious security gap that threat actors are all too eager to exploit. In fact, a recent report by Microsoft described “a sophisticated attack campaign” targeting IoT devices.
Whether they are the point of entry, or used as a pathway for attackers to reach their target, the existence of undiscovered and vulnerable IoT devices already represents a major challenge for security leaders. In May of 2023 Amazon announced it had shipped more than a half-billion Echo devices since introducing the product in 2014. If Amazon’s device ecosystem ambitions include new categories of products that, in aggregate, reach a similar scale and millions of new devices are shipped each year, that will be a problem for security teams. Even a small fraction of those devices that will find their way onto corporate networks will create new and compound existing security challenges for organizations not adequately prepared for the increased risk, especially if they have no way of discovering, monitoring, and ultimately securing those devices.
Amazon’s hiring of Panos Panay and its investment in product innovation is a good thing. As with the success of the Echo and Alexa product families, the popularity of any new devices created under Panay’s leadership will mean that those products–whatever they do–have made our lives better in some way. And because success breeds success, large competitors like Microsoft, Google, Apple will follow suit, and many more smaller innovators will be inspired to create other new and exciting devices.
Amazon’s announcement should be taken as fair warning that enterprise IT networks will soon be even harder to defend. Forward-thinking IT security leaders must ask themselves, “Do I know what devices are on my network now? Do I know where these devices are and what they are doing? Do I know what impact they have on my risk analysis?” The good news is that preparations made today can address the security risks that will come with a flood of new consumer IoT devices.