Could IoT, BYOD Give Hackers a Path to the Data?

IT security professionals are focused on rooting out potential attack vectors that hackers can exploit to gain access to corporate data. That’s why the bring-your-own-device (BYOD) trend–the introduction of many new unsecured personal devices onto the corporate network just increases the number of potentially exploitable endpoints—has been so worrisome to many of these professionals.

But does the problem become even thornier, thanks to the introduction of the Internet of Things (IoT)? Take, for example, connected devices in an employee’s home. When combined with the increasing trend of bringing work devices home and personal devices to work, could these connected devices provide a gateway to the corporate network?

Imagine you’ve purchased a gleaming new smart refrigerator. As an Internet-enabled device connected to your home Wi-Fi, your fridge is able to place grocery orders for you. Pretty neat.

According to Mark Wilson of mainframe services provider RSM Partners, that connected fridge could represent a weakness in your home network’s security, and an entry point for hackers who want to figure out a way into your corporate network’s most sensitive and valuable data. Not so neat.

In a SHARE Live! presentation, Wilson outlined the theoretical path hackers could follow to get from your fridge to your mainframe.

As he explained, a poorly secured IoT device that’s connected to your home Wi-Fi could allow a hacker the ability to access your home network. From there, the hacker could find other connected devices. This might include your personal laptop, which you sometimes use to work from home, and on which you’ve installed a corporate virtual private network (VPN) client.

By accessing your laptop through the infected network and installing malware like keylogging software, the hacker could find your VPN password. From there, the hacker could run port scans to discover the presence of a z/OS Telnet client, and if they don’t already know that this is a tool used to remotely connect to mainframes, a quick Google search would reveal that information.

At that point, the hacker could use malware to monitor your behavior or uncover the credentials needed to access that mainframe data. It’s a hypothetical example, Wilson explained, but an important cautionary tale for corporations. In just a few hours, a hacker could have direct access to some of a business’s most valuable and sensitive data.

The risk is even more severe when you consider the volume of IoT devices on the market, and the growing issue of security related to these devices. Depending on who you ask, there could be between six and nine billion connected devices worldwide today—and that doesn’t include smartphones, tablets, or laptops.

Around 70 percent of IoT devices are vulnerable to attacks, according to one estimate by HP. When you do the math, that could mean well over four billion IoT devices that are susceptible to attack.

Pair that with the growing frequency and acceptance of BYOD policies—one report found nearly 75 percent of companies currently or plan to allow personal mobile devices in the workplace—and there are simply far more opportunities for bad actors to gain access to corporate networks. As just another endpoint in the network—albeit a notoriously secure one—the mainframe is also at risk.

So what does this all mean? According to Wilson, what this ultimately means is that IoT device makers need to start taking security more seriously, and the industry as a whole may need some sort of standardization to ensure base levels of security. Additionally, businesses need to start thinking more critically about how they secure the corporate network from any possible entry point, including ones they might never expect.

Part of the challenge is recognizing that the mainframe, while more secure than any other platform, is not impervious to outside infiltration. And as more devices touch the corporate network, and more hackers look to target core corporate systems for the sensitive information they retain, these risks will only grow.

Watch Mark’s full presentation “IoT & BYOD – The New Security Risks,” as well as other mainframe security presentations, in the SHARE Content Center.

Recent Stories
Mainframe Matters: How Mainframes Keep the Financial Industry Up and Running

GDPR and Mainframe: What You Need to Know

Millennial Mainframers: Kyle Beausoleil on Mainframe’s Perception Problem