Oh great. The world’s internet security professionals are increasingly worried about what they are calling the Internet of Evil Things.
These concerns stem from the risks posed by connected Internet of Things (IoT) devices — a problem which is set to grow, even as resources and visibility into such connected devices have stagnated, according to a new survey.
The study of the views of more than 400 global IT security professionals, called “The Internet of Evil Things: Top Connected Device Threats 2016” by InfoSec outfit Pwnie Express shows that even as awareness of vulnerable devices grows in 2016, information security (InfoSec) professionals are not ready or equipped to manage the consequences.
The Connected Device Problem
According to the study, an overwhelming majority (86 per cent) of InfoSec professionals are concerned with connected device threats, with 50 per cent either “Very” or “Extremely” concerned.
Their fears have risen sharply in the last 12 months, with 67 per cent more worried about connected device threats than they were a year ago.
Perhaps most troubling is what is driving their concerns — first-hand experience. More than half (55 per cent) have witnessed an attack via wireless device, and 38 per cent have witnessed an attack via mobile device, according to the study’s authors.
Blame is also sheeted home to the proliferation of wireless and mobile devices and the prevalence of BYOD and BYOx environments. In fact, more than a third of those surveyed said they didn’t know even how many devices were connected to their networks.
The authors note, “Additionally, 40 per cent note their organisation is ‘Unprepared’ or ‘Not prepared at all’ to find connected device threats.”
According to Paul Paget, CEO, Pwnie Express “As the IoT universe continues to grow, the corresponding attack surface for malicious actors is growing, giving them an easy and unsecured way into your organisation’s most sensitive information — and this has understandably put information security professionals on edge.”
Yet, he said, despite ever-growing concerns around the proliferation of connected devices on and around their networks, more than one third of organisations admit to having no BYOD policy in place at all. Only 24 per cent actually have a budget in place for BYOD security technology. “This tells us that security professionals desperately need help educating the corner office and those in charge of the purse strings about the new evils and dangers their organisations face in our ever-evolving IoT world.”
Among the other findings:
- Most security professionals are not ready to monitor or detect less-common RF and off-network IoT devices;
- Eighty-nine per cent cannot see Bluetooth devices, and 87 per cent cannot monitor 4G/LTE devices in real time;
- Seventy-one percent cannot monitor off-network WiFi devices in real time;
- Fifty-six per cent cannot monitor on-network IoT devices in real time.
Subsequently, the vast majority (71 per cent) are concerned with devices in a default, misconfigured, or vulnerable state, including devices with default passwords and “Wide-open” settings, according to the study.
When Pwnie Labs aggregated and analysed more than seven million wireless and wired devices detected by the Pwnie platform, they were able to some ket differences between the 2014 and 2015 data.
For instance, Coolpad devices, at 30 per cent, overtook Samsung as the maker of devices accounting for the most prevalent vulnerable mobile hotspots.
HP Print, meanwhile has overtaken Xfinitywifi as the most common default open wireless network. And HP printers are the most prevalent wireless devices deployed in a highly vulnerable default configuration, at 56 per cent. While exposing confidential print jobs and compromising corporate client devices, these printers can be also used as a back door into private corporate networks.