back to article Research finds consumer-grade IoT devices showing up... on corporate networks

Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models. According to Greg Day, VP and CSO EMEA of the US-based enterprise networking …

  1. A Non e-mouse Silver badge
    Facepalm

    News at 9....

    Consumer devices appearing on the corporate network? You don't say....

    This has been happening for years (I think the last buzz-phrase was "BYOD") It's why security is more than just about having a firewall on your internet connection but layers of defence.

    1. JerseyDaveC

      Re: News at 9....

      Yep, I was just having one of those "surely this can't be a surprise to anyone" moments too.

      1. Martin-R

        Re: News at 9....

        I dunno, the pet feeder was a new one on me! Though I suppose if you have an office cat...?

        1. Chloe Cresswell
        2. Neil Barnes Silver badge
          Holmes

          Re: News at 9....

          There were pet feeders all over the network at my last place of work. Mind you, I was designing them...

          1. Dwarf Silver badge

            Re: News at 9....

            Best quote I've heard so far is :

            Don't forget that the S in IoT stands for Security.

            1. Bitsminer Bronze badge

              Re: News at 9....

              And we spell Security with an F.

              What, there's no F in Security!

              (Repeat until done.)

            2. FlamingDeath Silver badge

              Re: News at 9....

              I believe that quote was from Steve Gibson on the Security Now podcast

        3. thondwe

          Re: News at 9....

          Legit - Fish Feeders on Aquariums in BioSci Dept....

    2. Stuart Castle Silver badge

      Re: News at 9....

      Ever since I've been at my current job, our Networks team has been fighting users who bring in their own home router because the corporate Wifi isn't good enough in their office. It has bad areas, but in most company buildings, the corporate WiFi is actually pretty good in my experience. One joker even used the same SSID.

      Of course, when we discover someone has bought in a router. We report the matter to their line manager, and disconnect the device.

      I believe we also have other devices (e.g. various Intelligent Assistants) that pop up from time to time..

      1. TRT Silver badge

        Re: News at 9....

        There are such things as port security settings...

      2. Version 1.0 Silver badge

        Re: News at 9....

        And when your phone connects to the work notwork? (sic)

      3. Anonymous Coward
        Anonymous Coward

        Re: News at 9....

        Oh god! Do we all remember those odd, blue, Netgear wifi routers? dhcp client on one side and dhcp server on the other...

        It occurs to me 20 years later that I really should have used a bat when disconnecting that user....it was an SAP consultant, and I remember what they were being paid per hour...

        1. IGotOut Silver badge

          Re: News at 9....

          My old network manager used to disconnect rouge kit and pop it in the security office without saying a thing....So much unclaimed kit.

          If he was in a really bad mood, he'd pop it in the dishwasher.

          1. Anonymous Coward
            Anonymous Coward

            Re: News at 9....

            Probably "rogue" kit.

            1. 2+2=5 Silver badge
              Joke

              Re: News at 9....

              It was rouge before it went in the dishwasher

            2. Richard 12 Silver badge

              Re: News at 9....

              Depends what else is in the dishwasher

              1. The Dark Side Of The Mind (TDSOTM)

                Re: Depends what else is in the dishwasher

                Fingers from undisclosed owner, stuck in RJ-45 ports.

      4. sanmigueelbeer Silver badge

        Re: News at 9....

        I used to work for a government agency where half of the staff were Navy (or ex-Navy). It was in this job where I was exposed to a term called "JFID" (just f**king do it). The term is never used in written form but always, every time, used in un-recorded meeting(s) or under-the-table project kick-offs.

        Anyway, back in 2005 and I wanted to explore WiFi in the corporate environment. The response from the senior network engineer was "no" because WPA2, then, was perceived to be "not secure". (Back then, WPA2 was so new, everything was "guilty until proven otherwise".)

        Anyway, that government agency had a 16 story corporate office. Back then xDSL was still brand new then. Combine xDSL with WiFi and what do you get? Uh-huh. Exactly.

        From the ground floor and all the way to the top, all business units (big or small) have, a minimum, one xDSL modem with WiFi. Even the IT Security Team had two (that I am aware of). Bigger business units have more WiFi modems.

        It was very common back then (about once a month) for staff or contractors to "bridge" the "highly secured" corporate network with xDSL. It was even more common for the WiFi password to be "password".

        About four years after I left, the business unit I worked for got outsourced.

      5. Anonymous Coward
        Anonymous Coward

        Re: News at 9....

        Always fun when somebody plugs something in that starts handing out DHCP addresses.

        1. A.P. Veening Silver badge

          Re: News at 9....

          Always fun when somebody plugs something in that starts handing out DHCP addresses.

          And that something can be the cheapest Raspberry Pi you can find with just an OS and a DHCP server installed. The power source for it might cost more.

    3. sabroni Silver badge
      Stop

      Re: News at 9....

      A couple of years ago there weren't the millions of homeworkers the pandemics created. "You can use your own phone and laptop" is not the same as "You can plug in any internet enabled tat". 10% of people bringing computing devices onto your network is not the same as 50% of people connecting their home lan to your corporate lan.

      Well done, you understood that BYOD was stupid. Not so clever if you can't see that this poses much bigger risks.

      1. Anonymous Coward
        Anonymous Coward

        Re: News at 9....

        We use Palo Alto's rubbish at my place of work. Guess whose VPN defaults to split tunneling?

    4. Anonymous Coward
      Anonymous Coward

      WFH

      Well, if IT departments are so concerned that WFH folks might have their work machines comprimised while at home from all of the IoT crap on their home networks, they could issue NAT routers to their employees and tell them to plug that into the home network and only connect the work machine to that employer issued (preconfigured) NAT router. NAT behind NAT works and doesn't require any sophistication by the user.

      Since many consumer routers now support VLANs, the IT folks could also encourage their employees who do have some computer sophistication to put their IoT stuff on a separate VLAN from the routers untagged LAN.

    5. Version 1.0 Silver badge
      Thumb Up

      Re: News at 9....

      Excellent - at least they found the consumer-grade IoT devices on corporate networks, I wonder how many are on networks and nobody has even looked for them?

  2. Flak
    Holmes

    Zero Trust

    Networks (and people) should have a healthy dose of paranoia, not complete and utter gullibility.

    https://www.ncsc.gov.uk/collection/zero-trust-architecture

    1. Clausewitz 4.0
      Devil

      Re: Zero Trust

      A sane level of paranoia indeed keeps you alive.

      1. stiine Silver badge

        Re: Zero Trust

        And even higher paranoia level will extend the life of the people around you.

  3. Peter Galbavy

    Because a "corporate lightbulb" has to have a different specification to a "consumer" one. Right. Oh, and at least 20x the price, obviously.

    1. Version 1.0 Silver badge

      And the "corporate firewall" vs the home firewall in your access point? Normally a lot more than 20x.

      1. Yet Another Anonymous coward Silver badge

        So if the corporate firewall works why does it matter that we have Nest thermostats and entryphone cameras rather than corporate grade ones?

        1. Paul Crawford Silver badge

          If the corporate firewall was working (as in correctly set up) said devices would not be able to phone home and so would not work.

    2. J. Cook Silver badge
      Flame

      I dunno... the 'commercial' and industrial solutions I've seen for things like building management systems are a horror show in their own right, with custom devices running ancient versions of windows embedded, and the manufacturer wanting 5-6 digits for upgraded units or even firmware updates.

      Fortunately, in that case, the cheap n easy way to fix it is to put them on their own isolated vlan, and have a firewall sitting on it and the administrative network to provide (locked down) access to specified devices and ports.

      (Johnson Controls and Lutron, I'm specifically calling BOTH of you out on this one...)

      1. Anonymous Coward
        Anonymous Coward

        insecure VLAN

        We started off insisting that any IOT crap was attached to a dedicated hard wired domestic level ADSL connection that worked for about 5 years as people would either not pay the cost and not bother, pay the line rental and it wasn't our problem or try and connect to the corporate LAN and we'd detect it ans shut it down, There wee a few high profile near sackings and that problem went away. Then suddenly we were getting mandatory connection requirements by the dozen, lots of heating systems, new types of alarm system, virtually all stuff put in by estates or semi autonomous parts of the organisation. We ended up building setting up a number of separate VLANS, one of which was basically open to the internet for the really crap gas boilers, 'smart' cctv systems etc.

        At least we knew the crap was out there and was included in PEN Tests regularly to make sure that it wasn't possible to bridge between the insecure vlan and anything else.

  4. ecofeco Silver badge

    The derp is strong

    ...in everyone.

    This is why can't have nice things.

  5. Eclectic Man Silver badge

    OS updates

    Will they continue working when the latest updates and security patches are installed on the OS? One of my friends has a Windows PC at home. After the update to Windows 10 the MS webcam stopped working, completely. Seems that it was 'not supported' by the latest release. This was unfortunate as he was using is as a baby monitor for his twin boys at the time.

    And on a personal note, I am somewhat disappointed that my Epson Stylus Pro 1290 A3 printer is no longer supported by the iMac operating system. (I have maintained a laptop with the old OS and Epson driver.) OK, the printer is not an IoT device, but you get my point.

    1. This post has been deleted by a moderator

    2. Peter Gathercole Silver badge

      Re: OS updates

      iMac. CUPS, yes? Is the standard remote admin. port for CUPS open on an iMac?

      Surely, you should be able to manually put the old PPD file in and forget about the 'official' support?

      I mean, it should not be difficult. Most Linux's I use know about the 1280 that I still have running, so you should be able to steal one from one of those?

  6. Kernel

    The elephant in the room

    "Remote workers need to be aware that IoT devices could be compromised and used to move laterally to access their work devices if they're both using the same home router, which in turn could allow attackers to move onto corporate systems,"

    If you want me to work from home and you want my home IoT devices to be separated from your corporate network, then you will be paying for either a separate internet connection and router or a suitable firewall device to isolate home and work networks.

    I will not be turning off my devices on my network for your benefit - and before anyone makes the comment that my employer could just replace me with someone more co-operative, I'll point out that I live in a country with decent employment laws and any such action would turn into quite an expensive exercise.

    1. Anonymous Coward
      Anonymous Coward

      Re: The elephant in the room

      A lot of companies provide a workstation or high grade laptop set up so that you may network with the company through a tunnel. Then there should really be no issue.

      1. Yet Another Anonymous coward Silver badge

        Re: The elephant in the room

        But then require you to have your own, presumably consumer grade, Android/iPhone to run the Microsoft 2FA app to get onto the corporate network

        1. sabroni Silver badge

          Re: require you to have your own, presumably consumer grade, Android/iPhone

          No, if you complain enough and refuse access to your device they'll provide you with an RSA dongle.

          I speak from experience.

        2. William Towle
          Facepalm

          Re: The elephant in the room

          > But then require you to have your own, presumably consumer grade, Android/iPhone to run the Microsoft 2FA app to get onto the corporate network

          We've got a "virtual 2FA smart card" solution that doesn't feel like 2FA because it boils down to having yet another password (AIUI the something-you-have is "provided" by a file on the computer/LAN).

          Not that the expectation of owning a personal on-contract smartphone already went away - signing the employment contract document was a case of "simply install and run this Android/iPhone touchscreen input app and transfer our PDF to/from it" (not a hard requirement, but I had to ask to find out *sigh*), and we have "lunch and learn" video meetings where participation is easier with a phone app than a browser. In the latter case I've had to commandeer the dinner table for the laptop and monitor, so if I've moved the keyboard to eat I'm not also free to join in...

    2. sabroni Silver badge

      Re: If you want me to work from home

      No, you rush back to the office to grab some Covid.

      Who wants to work in an office? I've been doing it for 30 years and I've yet to find one that isn't full of cunts. Well, there's always at least one there, eh? ;-P

    3. Timo

      Re: The elephant in the room

      Add a printer to the list if the place wants to keep everything separate. My last place used split tunneling VPN so it was simple to print to the network printer I have at home.

  7. MrTuK

    IoT are like tribbles but dont require food !

  8. Richard Simpson

    This can be prevented but I guess it's not easy.

    Where I work security seems to actually be taken seriously and this problem shouldn't be able to occur (or at least it would require a lot more effort).

    For a kick off, there are no WiFi passwords as only WPA2-Enterprise with pre-shared keys is supported.

    For physical connections, if your device's MAC address isn't in the data base then the port doesn't activate at all. I guess you could try changing the MAC address to get round this.

    If you try to connect your own switch onto the end of the network then this is detected and again the port doesn't activate.

    All of the switches are in locked rooms or secure cabinets and you can't have your own local switch even if it is supplied by corporate IT. I recently wanted to connect a dozen pieces of lab test equipment (which will all need to be registered and approved, obviously) but wasn't allowed to have even a corporate approved switch on my test bench. Instead, IT installed a dozen more RJ45 sockets on the wall running back to the secure network cabinet in the corner of the room.

    We have working from home, but only via corporate supplied laptops which will only connect via the corporate VPN. Only approved USB devices will activate if you try to plug them in.

    I have no doubt that this all costs an awful lot of money and a great deal of inconvenience so I'm not surprised that most enterprises fall far short of this standard.

    1. Paul Crawford Silver badge

      Re: This can be prevented but I guess it's not easy.

      Security is not easy or cheap, and it needs cooperation from both the employees at large and the IT department.

      So if you needs something non-standard (e.g. lab network, test environment for consumer bits, etc) you can get it done quickly and securely and not put in a position of either failing to meet the project deadline or hacking something insecure to work around an intransigent IT group.

  9. Blackjack Silver badge

    IoT devices should not be used no matter the "grade" they are a safety and privacy risk.

    1. ecofeco Silver badge

      Exactly. Why is this so hard?

  10. Alistair
    Windows

    Corporate networks with IOT devices

    Should be referred to as the D networks.

    They add the D to IOT.

    1. fch
      Trollface

      Re: Corporate networks with IOT devices

      Makes "DOIT". The numbers of I-DO-ITs are always converging on infinite.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021