• 07948 570815
  • This email address is being protected from spambots. You need JavaScript enabled to view it.


Most IoT Transactions Are Not Secure: Report

Most IoT Transactions Are Not Secure: Report

The majority of IoT transactions use little or no basic security, and there is a great deal of unauthorised IoT taking place inside enterprise firewalls thanks to shadow IT, a recent study finds.

Security vendor Zscaler analysed nearly 500 million IoT transactions from more than 2,000 organisations over a two-week period. The survey found 553 different IoT devices from more than 200 different manufacturers, many of which had their security simply turned off.

The study was done on Zscaler’s own Internet Access security service. It found the rate of IoT growth to be huge: When it first started monitoring IoT traffic in May 2019, IoT traffic generated by its enterprise customer base was 56 million IoT transactions per month.

By February 2020, that number had rocketed to one billion IoT transactions per month, a 1,500% increase.

Internet of Things: What You Need to Know About IoT, Big Data, Predictive Analytics, Artificial Intelligence, Machine Learning, Cybersecurity, Business Intelligence, Augmented Reality and Our Futureamazon uk

Zscaler uses a bit of artistic licence in what it defines as enterprise IoT devices, from devices such as data-collection terminals, digital signage media players, industrial control devices, medical devices, to decidedly home devices like digital home assistants, TV set-top boxes, IP cameras, smart home devices, smart TVs, smart watches and even automotive multimedia systems.

“What this tells us is that employees inside the office might be checking their nanny cam over the corporate network. Or using their Apple Watch to look at email. Or working from home, connected to the enterprise network, and periodically checking the home security system or accessing media devices,” the company said in its report.

What’s troubling is that around 83% of IoT-based transactions are happening over plaintext channels, while only 17% are using SSL. The use of plaintext is very risky, opening traffic to packet sniffing, eavesdropping, man-in-the-middle attacks and other exploits.

Zscaler said it detects about 14,000 IoT-based malware exploits per month, a seven-fold increase over the previous year.

“Folks can keep their smart watches, smart closets, and whatever else they think is making them smart. Banning devices is not going to be the answer here. The answer is changing up the narrative on how we think about IoT devices from a security and risk standpoint, and what expectations we put on manufacturers to increase the security posture of these devices,” wrote Deepen Desai, Zscaler’s vice president of security research in a blog post.

Desai said the solution is “taking a zero-trust mentality.” It may be a buzzword but, “it’s about security people not trusting any person or device to touch the network—that is, until you know who the user is, what the device is, and whether that user and device are allowed to access the applications they’re trying to reach.”

Naturally Zscaler sells such a solution, but he makes a valid point. The IoT manufacturers in particular don't seem to consider the consequences of their actions and security is often an afterthought.

Opinion: At the very least use SSL and do not continue to send information in plain text, that is just asking for trouble.

Image by Gerd Altmann from Pixabay



Newsletter Subscribe