Accessibility and commoditization of computing devices brought both advantages and disadvantages for the public. The smart devices became much more affordable, while manufacturers are motivated to release new devices faster than the market can actually afford. Enterprises are very much affected by these dynamics, given that they have allowed BYOD (Bring Your Own Devices) within their premises. Companies are cornered, they have no choice but to open their doors to BYOD, as employees are more productive with the use of their own devices compared to company-issued devices.
The problem is with the number of devices entering the corporate network; the IT teams are having a hard time keeping track which devices are to whom. Aside from the traditional smartphones and tablets, smartwatches and other gadgets get connected to corporate wifi in the process. This brings convenience for everyone, but as we all know, convenience is inversely proportional to security and privacy. We have not even mentioned yet the increasing number of devices in the office that used to be standalone devices that are now connected to the Internet nowadays, like the smart TVs installed in conference rooms everywhere primarily used for teleconferencing.
These unregistered employee devices, also known as “Shadow IoT” that connects to company wifi opening vulnerabilities to the very critical corporate network that the business depends on every day. As smartphones and other similar devices are less frequently updated, they carry the vulnerability to the wireless LAN where they connect with. For example are smartphones with outdated versions of Bluetooth, an old version of Android which contains security vulnerabilities that were already patched in the latest versions.
“While most organizations prepare for IOT enablement, our threat intelligence shows that most companies are still vulnerable to 10 year old wireless vulnerabilities. IoT introduces new operating systems, protocols, and wireless frequencies. Companies that rely on legacy security technologies are blind to this rampant IoT threat. Organizations need to broaden their view into these invisible devices and networks to identify rogue IoT devices on the network, visibility into shadow IoT networks, and detection of nearby threats such as drones and spy cameras,” explained Mike Raggo, 802 Secure’s Chief Security and Threat Research Officer.
The current situation with smart devices today are in the similar situation to the PC industry in the early to late 90s. Vendors are still experimenting, with many still using their own network stack, until Windows became mainstream which forced the entire industry to standardize around the Microsoft operating system. Today’s IoT space is waiting the “Windows-like” episode, but it is still years off, as various vendors are competing right now to have their implementation to become the industry-standard.
“It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems. There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market,” added Raggo.
The Wi-Fi scene will be more secure as WPA3 becomes the standard very soon, unfortunately, this cannot happen overnight as not all wireless router vendors provide a firmware update for their already existing devices to support WPA3 encryption. Also, in order to take advantage of WPA3, old devices that were tagged by their vendors as obsolete will never have WPA3 support. The only solution is to replace the device with a newer one that supports the newer encryption standard, but that requires employees who own those devices to replace their currently working device.
The bottom line, companies, and employees need to cooperate and establish a common policy in order for IoTs, smart devices, and a secure network becomes a possibility. Certain rights of employees to their own devices may be curtailed in the process, like the mandatory demand of the organization to only allow encrypted smartphones to connect to the corporate wifi. The smart devices will reach the maturity that PC users have today, it will take time, but it will surely come.