As the Dad to a three and six-year-old, the days of baby monitors was not that long ago. I owned a baby monitor, but I rarely used it because it also unnerved me. Baby monitors have a well-documented and inherent vulnerability to hacks. As an MSP owner, you probably aren’t dealing with baby monitors (unless you are dabbling in the rapidly growing home MSP market), but there are IoT devices in office settings that are more vulnerable than others.

So which IoT devices are the “baby monitors” of the office? By this, we mean standard, almost-an-afterthought IoT devices that can cause big trouble if left undefended.

IoT vulnerabilities are growing by the day, so we’ve put together a list based on conversations with many SMBs over the past year. A recent report found that IoT device attacks have surged by 300 percent in 2019, and the number of devices compromised at one billion. With that in mind, here are devices found in almost any office environment that can be easy to overlook but cause big problems:

 Vending machines

You would think the only harm a soda and some snack mix would cause would be to your calorie intake, but an increasing refrain in the cybersecurity community is “If it’s connected, it’s a threat.” What makes something like a vending machine a threat is that it is so easy to overlook.

Internal IT departments are so busy and stretched thin, keeping networks up and running, that the last thing on their mind is the soda vector. Many companies are turning to IoT vending machines as a way to save money on service calls and maintenance, but Cybersecurity Europe warns:

“When they take advantage of your Wi-Fi, any security vulnerability that affects the machine could also get leveraged to expose your normal network too. Remember that the Wi-Fi could be the target of an attack – resulting in a denial of service that brings down wireless connectivity across the premises.”

Security cameras

Ironic, because your security camera is supposed to provide security and keep unauthorized people out. Once IoT entered the picture, the cameras themselves have become the weak point. The problem, one pharmaceutical company IT executive told Smarter MSP, is that a large industrial complex could have dozens of security cameras deployed, and if the security fails on just one, it can provide a doorway into the network.

The other problem is that security camera manufacturers are in a wireless race to the bottom. The cheaper the camera, the faster it is to install, and the more they’ll sell. Often, these cheap, mass-produced security cameras skimp on security.

Sensors

Sensors are proliferating with each passing day, being used for everything from thermostatic regulation in industrial sites, to monitoring who is coming and going. Like cameras, there is a race to produce the cheapest, easiest-to-install sensors.

Once they are connected, they could cost your client thousands of dollars if they are improperly secured. One of the inherent issues with sensors is that they are small by design. The smaller a sensor is, the less security features can be built-in. Until security miniaturization catches up to their popularity, sensors are going to have to be monitored.

Printers

Printers are almost an afterthought in the office. They are cheap, prone to malfunctioning, running out of ink, and are just generally exasperating — but their modern-day selves are also connected. People often get lazy and connect these inexpensive and, in theory, easy-to-use printers to the leading network.

However, password security on printers is usually weak to non-existent. With printers, not only can a hacker gain access to the system, they can also gain access to print jobs containing proprietary files, like contracts, drawings, medical data, and passwords. The paradox of printers is that while they are often cheap, ubiquitous, and seemingly innocuous, they also can contain surprisingly sensitive information that is easy to access.

Thermostats

More thermostats are coming online, and that is creating an inviting vector for hackers. Yes, the IoT thermostats provide the typical avenues in for a hacker, but it’s one of the few IoT devices that, if successfully compromised, can threaten the physical well-being of people in an office environment.

Consider this scenario conducted by two white-hat hackers as an experiment:

In 2016, two white-hat hackers demonstrated a proof-of-concept for a ransomware attack against an IoT thermostat. “It heats to 99 degrees and asks for a PIN to unlock which changes every 30 seconds,” explains one of the hackers. “We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlock.”

An attack like this could easily be used to cause massive corporate disruptions, whether by running up an enterprise’s heating bill when nobody’s there to notice or holding a workforce hostage with unbearable working conditions until a ransom is paid.

MSPs need to conduct frequent robust risk assessment strategies with clients, stay up on the latest patching, and make sure employees are well-versed in good cyber-hygiene.

The challenge for MSPs is to persuade clients that security is a value-added product. It may seem almost nonsensical to worry about a soda machine in the lobby when a company has servers and networks worth far more and doing far more.

However, it’s hard to put a price on peace of mind, so MSPs need to come armed with information for their clients and use wide-net security as a way to increase their bottom lines while providing peace and value for their customers. An MSP that finds the sweet spot creates winners all the way around.

Photo: Syda Productions / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *