NEWS ANALYSIS: It’s apparent now that Internet of Things security is laughably bad, but you can prevent your enterprise from being the butt of the joke.
The woman on the videoconference screen looked at me in astonishment. “I didn’t think we had a call scheduled,” she said in alarm. The surprise was understandable, as she and another person seemed to be just lounging in the conference room. I disconnected the videoconferencing call immediately, and then checked my notes.
I’d transposed a digit, and I’d called an obviously unsecured videoconferencing machine somewhere. I didn’t wait to ask where, but that videoconferencing machine wasn’t the first device I’d found on the Internet. In fact, the Internet of Things has been around for years, since long before the Web was invented.
In those days, network engineers took pride in their Internet connected soft drink machines, devices programmed to warn when their coffee pot was empty or to keep tabs on the fish in their aquarium at home. None of those things had any sort of security at all. Anyone who could find the right IP address could monitor the status of these unsecured devices.
Since then, tens of millions of new things have been connected to networks around the world. We have moved far beyond connecting soft drink machines and coffee pots to much more critical devices, including surveillance cameras, printers, security systems as well as water and gas meters.
My conversations with European security experts has revealed a deep concern over the spread of these devices and the difficulty in securing them.
Now, as my friend Pam Baker explained in her column in FierceBigData, security for the IoT is notable more for its absence than anything else. Baker explains that now there’s the Shodan search engine which is specifically designed to access unsecured IoT devices. It primarily targets online cameras, but it can be used to exploit pretty much anything. In fact, the makers of the Shodan browser also market it as a means of monitoring your own network security.
While I haven’t tested the Shodan browser, press reports indicate that it’s pretty good at revealing IoT devices far beyond cameras. Some of the things the company mentions are industrial control systems and power plants controls for example.
But let’s suppose that you’d rather not have random strangers monitor your surveillance cameras or gain access to your industrial automation devices. What do you do? You start actually thinking about IoT security in your own enterprise.
This is important because even a brief lapse in security can reveal far more than you might think. When I accidentally dialed into that conference room, there was a lot more than a couple of employees lounging in the conference room. On the wall behind the couple was a white board full of notes on a strategy session and a marketing presentation was displayed on an easel next to the white board.
Suppose I’d been a competitor instead of a wayward technology writer? That brief look could have told me a lot about the company’s competitive plans.