Security Firm’s Study Finds Thousands of IoT Devices on Company Networks

The growing number of Wi-Fi-connected shadow devices, both those provided by an employer and personal devices carried by workers, are raising threats for cyber-attacks, the report indicates.
Published: June 13, 2018

Network control firm Infoblox has released a report that finds employees are putting Internet of Things (IoT) devices on company networks at an increasing rate. According to a poll of 1,000 IT directors and 1,000 employees throughout four countries, the number of IoT devices on a company’s network could be as high as 10 to 20 per employee, with a business often unaware of those devices.

The report, titled “What’s lurking on your network: Exposing the threat of shadow devices,” found a higher-than-expected number of personal devices, including mobile phones, activity trackers, tablets and laptops. Infoblox refers to these network-consuming gadgets—tablets, smartphones and even smart televisions—as shadow devices, and says the study points to a growing security risk they might pose for companies.

Infoblox, located in Santa Clara, Calif., provides its Actionable Network Intelligence solution for network management and security threats. The company commissioned its report to better understand the challenges that companies face when it comes to managing their enterprise networks in the face of the growing popularity of IoT devices.

Although there has been significant security research around IoT, says Sean Tierney, Infoblox’s director of cyber intelligence, few of the resulting reports focus on how employee-owned IoT devices on corporate networks increase a company’s security risks. “Those shadow devices could belong to an employee,” he explains, and could either be provided by the company—and, therefore, be managed by the firm’s IT department—or could simply be a personal device that of which IT department has no knowledge. When devices that employees use at home, or in public areas, become infected, they can introduce that infection to the company’s own network, which poses a security risk for the business, as well as to anyone whose data the firm manages.

Companies throughout the United States, the United Kingdom, Germany and the United Arab Emirates responded to questionnaires regarding IoT device use, Tierney says, and the results indicated that the growth in smart devices has increased the IoT-based risk at companies more than most realize. For instance, the study found that 24 percent of U.S. employees do not know what IoT security policy their employers have in place, while one in five U.S. and U.K. workers said they don’t follow their company’s security policies for devices, even if they know about them.

That represents a security concern, Tierney says, since hackers can use connected devices to infiltrate a network. Once they’ve accessed the network, cybercriminals can utilize a command and control (C&C) server to accomplish domain name system (DNS) tunnelling. This involves inserting malware or sharing stolen information with DNS queries, thereby creating a covert communication channel that bypasses firewalls.

The study drew data from two surveys conducted during March and April of this year. One, carried out by Censuswide, included 300 IT directors each in the United Kingdom, the United States and Germany, as well as 100 in the United Arab Emirates. The other surveyed 500 employees between the ages of 20 and 65 in the United States and 500 in the United Kingdom; this survey was conducted by online survey application CitizenMe.

By sampling the two groups (management and employees), Tierney says, “We were able to understand the company expectations, as well as the employee point of view.” The study found that in the United Kingdom, the United States and Germany, 35 percent of companies had more than 5,000 personal devices connecting to their network daily, averaging 10 to 20 per employee.

U.S. and U.K. employees reported using devices on their company network to access social media (39 percent), and to download apps, games and films (24 percent in the United States, 13 percent in the United Kingdom and 7 percent in Germany). The United Arab Emirates proved an exception, however, with just 16 percent having more than 500 personal devices connecting to their networks.

Nearly half of employees using IoT devices reported utilizing fitness trackers, such as like FitBit or Gear Fit, on their employers’ network. What’s more, there are other devices in use at company facilities, including digital assistants, like Amazon Alexa and Google Home; smart TVs; smart kitchen devices, such as connected kettles or microwaves; and games consoles, such as Xbox or PlayStation.

While 88 percent of the IT leaders surveyed indicated they believe their security policy is either effective or very effective, they have reason not to be so confident. About 24 percent of employees from the United States and the United Kingdom said they didn’t know if their organization even had a security policy. Of those companies that said their organization did have a security policy for connected devices, 20 percent of U.K. respondents claimed they followed it either rarely or never. Just one-fifth of respondents in the United Kingdom and the United States reported that they followed their policy “by the book.”

Shadow device activity is, not surprisingly, highest at bigger companies, with 10 percent of respondents reporting more than 10,000 devices were typically connecting to their network. However, Tierney notes, even small businesses with between 10 and 49 employees have a significant number of devices connecting to their network, with 25 percent reporting more than 1,000 connections on an average day. That ratio rises with companies comprising 50 to 99 employees: 52 percent have 1,000 devices or more.

In addition, companies throughout the United States, the United Kingdom and Germany assign thousands of shadow personal devices, including personal laptops, Kindles and mobile phones, all of which then connect to the network. However, the United Arab Emirates has a much small number of devices connecting.

According to Tierney, the report raises significant concerns in terms of security; he cites recent events that have illustrated breaches occurring. For instance, in 2016, the Mirai botnet targeted DNS service provider Dyn (see Startup Targets IoT Hackers With New Platform). During the attack, which continued throughout a full day, prolonged interruptions to Dyn’s services resulted in many sites going down across North America and Europe.

In a previous study, titled “The Infoblox Security Assessment Report,” the company found that 35 percent of all files uploaded by its customers showed evidence of botnet activity. “The solution to solving these security risks is the breadth and depth of defense,” Tierny says, “Effective policies are ones that not only reduce risk but are also consistent with employee culture.”