Report: Most IoT transactions are not secure

The majority of Internet of Things (IoT) transactions don’t use even basic security, and there is a great deal of unauthorized IoT taking place inside the perimeter of enterprise firewalls thanks to shadow IT, a new study finds.

Security vendor Zscaler analyzed nearly 500 million IoT transactions from more than 2,000 organizations over a two-week period. The survey found 553 different IoT devices from more than 200 different manufacturers, many of which had their security turned off.

The study was done on Zscaler’s own Internet Access security service. It found the rate of IoT growth to be explosive: When it first started monitoring IoT traffic in May 2019, IoT traffic generated by its enterprise customer base was 56 million IoT transactions per month. By February 2020, that number had soared to 33 million transactions per day, or one billion IoT transactions per month, a 1,500% increase.

Zscaler is a bit generous in what it defines as enterprise IoT devices, from devices such as data-collection terminals, digital signage media players, industrial control devices, medical devices, to decidedly non-business devices like digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smart watches and even automotive multimedia systems.

“What this tells us is that employees inside the office might be checking their nanny cam over the corporate network. Or using their Apple Watch to look at email. Or working from home, connected to the enterprise network, and periodically checking the home security system or accessing media devices,” the company said in its report.

Which is typical, to be honest, and let (s)he who is without sin cast the first stone in that regard. What’s troubling is that roughly 83% of IoT-based transactions are happening over plaintext channels, while only 17% are using SSL. The use of plaintext is risky, opening traffic to packet sniffing, eavesdropping, man-in-the-middle attacks and other exploits.

And there are a lot of exploits. Zscaler said it detects about 14,000 IoT-based malware exploits per month, a seven-fold increase over the previous year.

“Folks can keep their smart watches, smart closets, and whatever else they think is making them smart. Banning devices is not going to be the answer here. The answer is changing up the narrative on how we think about IoT devices from a security and risk standpoint, and what expectations we put on manufacturers to increase the security posture of these devices,” wrote Deepen Desai, Zscaler’s vice president of security research in a blog post.

Desai said the solution is “taking a zero-trust mentality.” It may be a buzzword but, “it’s about security people not trusting any person or device to touch the network—that is, until you know who the user is, what the device is, and whether that user and device are allowed to access the applications they’re trying to reach.”

Naturally Zscaler sells such a solution, but he makes a valid point. This is an ages-old problem I have seen time and again; a hot new technology comes along, everyone rushes to embrace it, then they think about securing it later. IoT is no different.

Whatever your device, at least go into the settings and turn on SSL.