We’re living through an explosion of Internet of Things (IoT) connected devices. Everyday consumers continue to buy and use gadgets like smart thermometers and fitness trackers, while connected security cameras, manufacturing sensors and smart lights become more popular with businesses. Gartner research predicts that 20.4 billion connected devices will be in use by 2020. As a network engineer, that number is scary. Adding a large volume of IoT devices to a home or business network without proper preparation can lead to serious networking and security issues. First, IoT devices make networks larger, more complex, and more difficult to map. Second, they introduce new security flaws to the network.
Luckily there are ways to mitigate these problems. First, network engineers and IT admins need the right tools for network monitoring, and they need to be involved in the decisions surrounding the deployment of IoT devices on a corporate network. Second, consumers need to understand the impact of IoT devices on a network, so they can properly configure and use them. Allow me to explain in more detail.
Adding new devices to any network makes it more complex, and IoT devices are especially bad in this regard. Most networks are configured assuming people have a few devices each (a smartphone, laptop, tablet), but add IoT devices and suddenly there are two, three or ten times the number of devices connected. Fortunately, most IoT devices have low bandwidth requirements so the impact on overall network performance is minimal, but the high volume of added connections complicates management. For instance, it’s often difficult to monitor or troubleshoot these devices because they send very little useful telemetry data. Furthermore, the network team is rarely involved in the IoT purchase decision – that’s usually something the security or facilities team handles. The network team is often notified after the fact, if at all, so they may not know that these devices are even there! For example, I’ve heard stories about hospitals where the security team bought and installed wireless security cameras and the IT team didn’t find out until they started getting complaints that the Wi-Fi in certain rooms was slow – the cameras were interfering with the normal Wi-Fi signals.
IoT devices are usually not secure and they can give attackers easy routes into a network when introduced without proper planning. Your average Wi-F connected camera or thermometer runs a basic Linux operating system with many security vulnerabilities. This is especially bad with budget devices – products from major brands like Apple and Amazon are often secure, but off-brand items usually are not. For example, huge databases of default IoT device passwords are available on the web for perusing by anyone – manufacturers believe that they’re being “helpful” by providing basic passwords, but few device owners think to change this default setting. Always make sure you change the default passwords on your IoT devices to a long, complex phrase that can’t be easily guessed or cracked.
To make things worse, IoT devices are often not patched regularly – you might know that you should keep your computer software up to date, but will you think to update your smart TV or thermostat? This compounds the security issue since many of these devices will be running out-of-date software with known bugs or security vulnerabilities. In a business setting, managing updates to large numbers of IoT devices is a complicated process made more difficult by the fact that, as mentioned earlier, those devices are often hard to see from a network perspective.
The good news is that IoT devices can be monitored and managed, assuming they are connected to the network either directly or wirelessly. In a business setting, IoT devices usually have very clear roles and it’s relatively easy, given the right tools, for IT to tell when they are doing something they shouldn’t be. For example, an IoT thermostat should only be communicating with the thermostat controller. If IT sees network traffic between the thermostat and other locations on the network, or the device suddenly attempts to connect to external IP addresses, they know something is wrong.
Complexity creeps in when organizations have hundreds or thousands of IoT devices on a network, but modern network performance monitoring and diagnostic (NPMD) tools are usually powerful enough to monitor all of that traffic. It’s possible for IT to use NPMD tools to set baselines and rules for IoT device traffic, but this takes time that a busy network engineer may not have. More automation in NPMD tools and more information from IoT vendors about the ports, protocols and network traffic paths that their devices use would help this issue immensely.
On the consumer side of things, this is more difficult. There isn’t any kind of easy-to-use consumer device to monitor IoT devices, but this is something I think could be helpful. A simple network monitoring tool that tells you if your smart TV and fridge are in line with the normal traffic patterns expected from those devices could go a long way towards helping consumers keep their devices secure. A better solution here is to require more security to be built into IoT devices by the manufacturer, and for manufactures to make the patching process for IoT devices simpler and more automated.
So, while there are tools to manage IoT devices and potential to improve their security in the future, the fact remains that IoT devices can easily create major network complexity and security issues for both businesses and consumers. Be mindful of security best practices when using consumer IoT devices and be sure to involve IT and the network team when consider IoT device rollouts in a business setting.
Jay Botelho is Director of Engineering at Savvius, a LiveAction company. Jay has worked at Savvius for 13 years and in the technology industry for over 25 years as an engineer and product manager, specializing in wireless networking. He holds a BSEE from Tufts University and an MSEE from Santa Clara University, both in electrical engineering.