“IoT devices that are not configured are dangerous because they effectively function as open, unencrypted wireless access points, potentially providing a means for hackers to cause disruption or to spy on organisations”, Munro told Computer Weekly.
He said that most IoT gear works in an access point mode, so users can connect to the device using a smartphone to reconfigure it to become a client on the wireless network by entering the network security key, thereby making it much more secure.
But businesses and consumers do not connect appliances to the internet, believing this is safer, but forget that these devices are typically designed to act as wireless access points by default.
“This means that if the device remains unconfigured, it will remain in the default state, making it even more vulnerable than if it were connected to the internet and configured”, said Munro.
With an unconfigured device, attackers could use a war driving or access mapping attack, which would make it easy to compromise these devices, said Munro, because the attacker could identify a target wireless network using a geolocation site, such as wigle.net, that shows wireless access points in any given location and enables account holders to search its database for unconfigured IoT devices.
“This means attackers could search for specific device types in a specific location, and then all they need to do is download the appropriate app, connect to the wireless access point of the IoT device and they have full control of that device”, he said.
This means that businesses were at risk from their coffee machines or drinks dispensers that are put in the corporate environment, but do not go through an IT security risk assessment and are thought to be safe because they are not connected to the internet.