The growth of connected and interactive devices continues to threaten security and poses privacy risks, experts warn.
Speaking at Infosecurity Europe 2023, Madelein van der Hout, senior analyst for security and risk at Forrester Research and Peter Griggs, principal cyber security engineer at Transport for London (TfL), cautioned that our increasing use of hardware from smart speakers to surveillance cameras risks giving attackers easy access to both domestic and corporate networks.
Connected devices, Griggs suggested, have gone from “being enablers to being a necessity.” However, we risk taking their security and resilience for granted.
The risk posed by connected devices is backed up by research. According to van der Hout, the number of businesses that have experienced attackers “trying to leverage IoT devices to get into the business” has increased from 41% to 54% during the first months of 2023.
For Griggs, at least part of the problem is due to a continued lack of basic security in devices. “Things like default credentials are used to pivot onto networks,” he said.
“These things are closed box devices. You don’t know they are sitting there until it is too late. The threat landscape is increasing with more interconnected and hybrid devices, even AV equipment in meeting rooms.” Griggs explained.
Firms might, for example, not want smart speakers in their boardrooms. “That is a big challenge,” he said.
“The greatest problem is a loss of control,” Griggs added. “Once there was a process around buying IoT, but now you can readily get hold of that equipment. You can get an Alexa at lunchtime and put it on the network. The physical security team can now have CCTV that they can view on a phone but that can allow lateral moves across.”
Organizations should look to segregate smart or IoT devices from the corporate network as far as possible, he added.
Device vendors, though, should also do more to secure devices, the speakers said.
Legislation, especially from the EU, should ensure manufacturers move away from default credentials which lead to easy compromises.
“Vendors need to stop the use of default credentials,” said Griggs. “It’s 2023! There are other things we can use to secure these devices.”
Read more about IoT cybersecurity: How to Implement a Foolproof IoT Cybersecurity Strategy
Better use of software bills of materials (SBOMs) will also help end-user organizations identify potential vulnerabilities such as Log4J. But organizations should also act to raise awareness among their users, Griggs added. They should also scrutinize devices more and try, where possible, to monitor the data traffic they generate.
“You can’t stop IoT devices, and the industry has come from a ‘no’ to an enabling culture. But we do need more awareness. You don’t want to put smart speakers into private places,” he concluded.