SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Information security professionals may not be prepared for IoT after all
Tue, 15th Mar 2016
FYI, this story is more than a year old

Risk and concern surrounding the Internet of Things (IoT) continues to grow, while related security resources and visibility into connected devices stagnates, according to new research sponsored by Pwnie Express, the wireless threat detection solutions provider.

As a result, even with awareness of vulnerable devices at an all time high, information security professionals are not ready or equipped to address the growing threat of the IoT, the research suggests.

According to the report, today, 86% of information security professionals are concerned about connected device threats, with 50% either ‘very' or ‘extremely concerned'.

Furthermore, the majority (67%) are more worried about connected device threats than they were a year ago, with first- hand experience driving heightened concern - 55% have witnessed an attack via wireless device, and 38% have witnessed an attack via mobile device.

Due to the proliferation of wireless and mobile devices and the prevalence of BYOD and BYOx environments, IT security professionals are lacking visibility, as 37% can't even tell how many devices are connected to their networks. Additionally, 40% note their organisation is ‘unprepared' or ‘not prepared at all' to find connected device threats.

On top of this:

  • Most security professionals are not ready to monitor or detect less-common RF and off-network IoT devices.
  • 89% cannot see Bluetooth devices, and 87% cannot monitor 4G/LTE devices in real time.
  • 71% cannot monitor off-network WiFi devices in real time.
  • 56% cannot monitor on-network IoT devices in real time.

Subsequently, the vast majority (71%) is concerned with devices in a default, misconfigured, or vulnerable state, including devices with default passwords and ‘wide-open' settings. Additionally, more than half (51%) are concerned about unauthorised mobile devices, access points and wearables. Corporate sponsored BYOD is also a source of concern (36%), as are personal 4G/LTE hotspots and broadband USB dongles (24%).

As part of this research initiative, Pwnie Labs, the research and development division at Pwnie Express, aggregated and analysed more than seven million wireless and wired devices detected by the SaaS-based Pwn Pulse platform to identify the following year-over-year trends when comparing 2014 and 2015 data:

  • Coolpad devices, at 30%, have overtaken Samsung as maker of devices accounting for the most prevalent vulnerable mobile hotspots.
  • HP Print, at 56%, has overtaken Xfinitywifi as the most common default open wireless network.
  • HP printers are the most prevalent wireless devices deployed in a highly vulnerable default configuration at 56%; while exposing confidential print jobs and compromising corporate client devices, these printers can be also used as a backdoor into private corporate networks.
  • Wireless Access Points (APs) remain vulnerable: 35% of APs within the last six to 12 month show weak or no encryption.

“As the IoT universe continues to grow, the corresponding attack surface for malicious actors is growing, giving them an easy and unsecured way into your organisation's most sensitive information - and this has understandably put information security professionals on edge,” says Paul Paget, Pwnie Express CEO.

“Yet, despite ever-growing concerns around the proliferation of connected devices on and around their networks, more than one-third of organisations admit to having no BYOD policy in place at all and only 24% actually have a budget in place for BYOD security technology.

“This tells us that security professionals desperately need help educating the corner office and those in charge of the purse strings about the new evils and dangers their organisations face in our ever-evolving IoT world," Paget says.