A new report that looked at millions of connections from IoT devices present on enterprise networks found that over 40% of them do not encrypt their traffic. This means a large number of such devices are exposed to man-in-the-middle (MitM) attacks where hackers in a position to intercept traffic can steal or manipulate their data.

The new report released today by network security firm Zscaler is based on telemetry data collected from the company's cloud. It covers over 56 million IoT device transactions from 1,051 enterprise networks over the course of a month.

From the data, Zscaler identified 270 different IoT profiles from 153 device manufacturers. The devices included IP cameras, smart watches, smart printers, smart TVs, set-top boxes, digital home assistants, IP phones, medical devices, digital video recorders, media players, data collection terminals, digital signage media players, smart glasses, industry control devices, networking devices, 3D printers and even smart cars.

The most common were set-top boxes used for video decoding. These accounted for over 50 percent of the observed devices and were followed by smart TVs, wearables and printers. However, it was data collection terminals that generated the largest amount of outbound data transactions -- over 80%.

The biggest finding was that 91.5% of data transactions performed by IoT devices in corporate networks were unencrypted. As far as devices go, 41% did not use Transport Layer Security (TLS) at all, 41% used TLS only for some connections and only 18% used TLS encryption for all traffic.

Devices that don't encrypt their connections are susceptible to various types of MitM attacks. An attacker who gained access to the local network -- for example through a malware attack -- could use Address Resolution Protocol (ARP) spoofing or could compromise a local router and then intercept IoT traffic to deliver malicious updates or to steal credentials and data sent in plain text.

High use of consumer IoT devices on corporate networks

Deepen Desai, VP of security research and operations at Zscaler, tells CSO that one of the worrying observations was that companies have a large amount of consumer-grade IoT devices on their networks. This highlights the problem of shadow IT, where companies have a hard time controlling what electronic devices their employees connect to the network, from wearables to cars.

Organizations should have a solution in place to constantly scan the network and identify such shadow devices and then create a policy where such devices are only allowed to connect to a separate non-critical network segment, Desai says.

That's because another common problem observed by Zscaler was that most IoT devices are connected to the same network as business-critical applications and systems. If one of the IoT devices is compromised, attackers can then target all other systems.

That actually goes both ways: If an attacker compromises a workstation or employee laptop with malware, they can then potentially gain access to an IoT device on the same network. While a malware infection on a regular computer is likely to be detected sooner or later, an IoT compromise is much harder to discover, giving attackers a stealthy backdoor into the network.

According to Desai, Zscaler has seen some cases where enterprise IoT devices were exposed directly to the internet, such as surveillance cameras, but the numbers are very low compared to the overall number of IoT devices present inside corporate networks. Devices connected directly to the internet are certainly at higher risk of being attacked, but those inside local networks would not be difficult to compromise, either.

While analyzing IoT malware infections, Zscaler observed many devices with weak or default credentials, or which had known security flaws. That's because many IoT devices don't have automatic updates and their users rarely check and deploy updates manually. The Zscaler researchers also observed that many of them use outdated libraries with known vulnerabilities.

The company detects an average of 6,000 IoT transactions per quarter that are the result of malware infections. The most common malware families that target such devices are Mirai, Rift, Gafgyt, Bushido, Hakai and Muhstik. These botnets typically spread by brute-forcing login credentials or by exploiting known vulnerabilities in their management frameworks.

"The rapid adoption of these IoT devices has opened up new attack vectors for cybercriminals," Desai says. "IoT technology has moved more quickly than the mechanisms available to safeguard these devices and their users. The fact is that there has been almost no security built into most of the consumer grade IoT hardware devices that have flooded the market in recent years, and some of these devices are also found in the enterprise networks."