The Internet of Things of IoT offers a lot of potential, but unfortunately these Internet-connected devices also introduce a considerable amount of risk. The term Internet of Things covers any device that connects to the internet, which includes a wide range of equipment covered by your BYOD policies. As well as a substantial number that are probably not.

IoT includes devices such as traffic lights, GPS units used for cycling or walking, weather monitoring equipment, cars, some new refrigerators and washing machines, and activity trackers. An incredibly wide range of devices. Today, so many electronic devices have been developed that have Internet connectivity the mind boggles.

What’s your Point?

Any device that connects to the Internet and remains connected to the Internet for a long period of time is likely to attract the attention of hackers. They will use various tools to probe those devices. Their aim is to identify potential vulnerabilities that can be exploited. Once those vulnerabilities are located, they will be subjected to attacks, whether by brute force or by a skilled hand. Hackers will attempt to shut devices down (just because they can) or take them over with malicious intent. This will happen. This is not conjecture.

Will an electronic, Internet-connected billboard be hacked? Sure! Someone somewhere will have a humorous message they would like to display. Will someone hack a medical device such as a drug pump and change the dose of morphine that is administered to a patient? Certainly. It has already happened on at least two reported occasions. Both times were by the patients themselves. (it was very easy BTW, they got the instructions from the Internet and upped their own morphine doses!).

If it is possible to hack a device, someone will. It is just a matter of time.

Why not just make sure that all products are secure?

In an ideal world, no Internet connected device would come to market unless it was first made secure. However, this is not an ideal world. In fact, judging by the apparent ease at which hackers can compromise desktops, Smartphones, tablets, and servers, IoT devices shouldn’t pose too many problems. To make matters worse, the developers of these devices often don’t have any idea about the security of their devices. Their aim is to get a useful Internet-connected device on the market, not to prevent them from being hacked.

Many manufacturers have the budgets to develop appropriate security. The problem is that they do not. Don’t get me wrong, this is not always about them cutting corners. Oftentimes they just have no idea about how hackers will be able to take advantage of their devices or why they would choose to do so.

Unfortunately, devices are coming to market faster than it is possible to perform full security testing. Many of those devices are connected to Smartphones, tablets and laptops, from where they can be accessed and controlled. If it is possible to gain access to the equipment remotely, would it be possible to use the IoT device to gain access to the device that is used to control or monitor it? It is a distinct possibility!

How about the apps that are downloaded to control those devices? Could they be hacked? Could malicious apps for controlling a Samsung washing machine find its way into the Google Play Store? How about an app for a device that is part of the critical infrastructure?

The Danger of IoT and BYOD

Many organizations have wholeheartedly implemented a BYOD policy and are now allowing the Smartphones, tablets, and laptops of employees to be used at work. There are numerous advantages to doing this of course. The technology can be leveraged to give the employer benefits that would otherwise be unaffordable to introduce. Employees want to use their own devices at work and are often much more productive as a result. The problem however, is the security risk that these devices introduce, or have potential to introduce, is considerable. Any Internet enabled device that is allowed to connect to a corporate network could potentially be used by a hacker to launch an attack.

To tackle the security threat, a good BYOD strategy must be employed to control use of the devices. Employees must be told what they can and can’t do. Unfortunately, it doesn’t matter what you tell your employees. Some will go against company policies because it’s their device and they believe they can do what they want with it.

It is essential to perform training on security. Employees who are allowed to bring their own devices to work must have it spelled out, very clearly, what the risks are and why controls are put in place. They must be made to understand that the risk from the devices is very real, and policies exist for a very good reason. If they are unwilling to abide by the rules, they should not be permitted to use their devices at work.

A good BYOD strategy?

However, even by adopting a good BYOD strategy, you will allow the traditional security perimeter to be extended to include employees’ homes. Regardless of the controls that are used and the level of training provided, the risk that is introduced could be considerable. Employers should therefore think very carefully about the devices they allow to connect to their network. A good BYOD strategy may in fact be to prevent any BYOD devices from connecting to the network at all!