Report: Internet of Evil Things is your next nightmare

Many companies don't know what devices are on their networks because employees can easily go out and buy them and install them themselves

While the number of actively Evil Things is still small, the vast majority of enterprises are home to things that have the potential to turn evil at any moment, according to a new report from Boston-based security firm Pwnie Express.

The company analyzed a quarter million devices across a variety of customer environments and industry verticals, and found that 83 per cent of companies have printers in their default configuration, with default passwords, and unencrypted WiFi.

"If you install these printers in a default state, and plug them into a network, it's now not just a hackable printer but an open port into your network," said Pwnie CEO Paul Paget.

[ Welcome to the Internet of Things. Please check your privacy at the door. ]

In addition, 69 per cent of companies had unencrypted wireless access points on their networks.

Vulnerable, unencrypted mobile hotspots were present in 42 per cent of companies.

"Virtually every organisation has some sort of rogue wireless access point or printer," Paget said.

Worst of all, many companies don't know what devices are on their networks because employees can easily go out and buy them and install them themselves - or bring them from home as part of corporate Bring Your Own Device programs.

Employee-owned devices are a particular concern, Paget added, because there are limits to what a company can do to secure them.

Overall, he said, when scanning corporate systems, Pwnie discovered that companies typically had two to three times more devices than they thought they did.

Pwnie also found some actively evil devices, he added.

[ Five myths (debunked) about security and privacy for Internet of Things ]

"Malicious, weaponized devices are the exception," he said. "We don't find them in every company, but in enough to be a concern."

However, he couldn't provide specific numbers about evil devices because of how clients permitted the data to be analyzed.

"We know we validated the problem," he said, "but we can't quantify it at this stage. Of the companies where we collected the data, we've only had a few accounts that gave us permission."

Pwnie also surveyed 600 security professionals and found that 83 percent were concerned about rogue or unauthorized devices operating in their networks, 69 percent said they did not have full visibility of all the wireless devices in their networks,

"The problem was substantial," said Paget.

In addition to insecure devices like printers or wireless access points, which could be made secure by changing settings and, when necessary, patching the software, there is also a category of devices that don't have any provisions for security at all.

"There are thermostats, medical devices, other things that are vulnerable because they is no security built into them," he said. "And they're finding their way into enterprises."

Finally, as prices fall and devices get easier to use, there are more and more opportunities for disgruntled employees -- or average criminals -- to do some damage.

"The concern that law enforcement has is that this stuff is so readily available," Paget said. "You can go to your favorite retailer and you can buy this stuff. It's not just for trained professionals any more. Now the average person can use this for malicious purposes."

Join the CSO newsletter!

Error: Please check your email address.

Tags consumerization of ITBYODPwnie Expresssecuritymobile securityIT management

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts