How Dangerous Is the Shadow IoT?

There’s always been a line to walk between convenience and security peace of mind. Does the phrase “trust but verify” ring any bells? It’s an old axiom. It’s old enough to not really apply much anymore. Not where modern technology is involved, anyway.

In a classic scenario of our reach exceeding our grasp, multiple industries are rushing headlong into a convenient and efficient industrial future powered by the Internet of Things. From agriculture to energy to health care, the IoT is just about everywhere. Unfortunately, so is its evil doppelgänger.

What Is the Shadow IoT?

First, it’s essential for consumers and business representatives alike to understand something critical about how connected devices and equipment work.

In short, they’re always on. Every piece of remote network storage, every fitness wearable and medical device, every smart television and monitor, every connected lightbulb, thermostat, smart light switch and Internet-connected video camera? They’re always connected and always “dialing home.”

You might know where that “home” is — or at least think you do. The problem is, we can’t “trust” these devices and “verify” later. The threat is already here. We’ve got WannaCry 1.0, 1.5 and the soon-to-come WannaCry 2.0 as proof. It’s not always the case that individual devices or software makers are practicing unethical data harvesting. Sometimes, the fault lies with corrupted or counterfeit components finding their way into otherwise trustworthy supply chains.

The shadow IoT is what happens when all of these many connected devices get hacked into, compromised and quietly used in the background of your network for data theft and other nastiness by remote third parties.

Why Does It Pose a Threat to Consumers and Businesses?

Why is this a problem in the first place? It starts with two pieces:

  • Many connected device manufacturers haven’t looked before they leaped. In other words, some of the products under your roof might’ve reached the market before the companies responsible for them had thought through the security implications and vulnerabilities or pushed a firmware update to plug those vulnerabilities.
  • Technological limitations, rather than garden-variety human hubris, is another unfortunate roadblock to patching up the Shadow IoT for good. Many of these device manufacturers make them in a way that maximizes profitability, rather than security robustness. That means they often don’t even have enough onboard computational power to provide adequate security layers and reliable functionality.

To be blunt, if it has an IP address, it’s a likely target of data thieves, whether the device is primarily in somebody’s home or on a company’s network. But realistically, what are the threats here?

In a corporate setting, even one compromised networked device can give hackers and malware architects a convenient way into the larger network. Companies must consider what data security measures are necessary. To mix metaphors, even one weak link in your cybersecurity chain means the whole house of cards can come down on you. Some IoT devices leave ports open on your network without necessarily meaning to, which renders even your home or company firewalls effectively useless.

How Can We Protect Our IoT Devices?

In an ideal world, every device released for purchase to private consumers or corporate purchasing agents would be 100 percent secure by design. Each device would have a fixed number of tasks it could perform and would be locked out of performing work outside the scope of its design. But that’s not the world we live in.

Step one is acknowledging how widespread the threat is already. New technologies are understandably exciting purchases to consider, and they often arrive boasting they’ll help us gather more data or work more effectively. But making purchases blindly, without considering the consequences or performing proper vetting on the vendor or manufacturer you’re thinking of working with, isn’t optional anymore.

In short, verify now and trust later. Here are some other things to do:

  • Isolate portions of your network containing IoT devices that don’t need access to the greater Internet. Admittedly, this negates some of the advantages of connected devices in the first place. But in many cases, this is a viable solution if you’re not sure about the security cred of the devices or software you’re using.
  • Find out how to update your IoT devices. It’s not always intuitive, unfortunately. You might find yourself navigating an ungainly menu on a control panel or entering a companion app on a computer or smartphone. Updating desktop operating systems has gotten easier, thanks to automatic background updates. Until IoT device manufacturers come up with a similar solution, find out how the update process works, then check it manually and regularly. That is how known vulnerabilities get patched — and ignoring this functionality leaves you at risk.
  • If you represent a company that has a bring-your-own-device work policy for employees, you need a comprehensive, well-written, well-publicized and easy-to-access company policy for bringing these devices to work and performing work-related tasks on them. No matter how robust your networks and equipment are, there’s little guarantee every employee is equally conscientious unless you’ve made your expectations and the nature of the threat well-known to all.

Perhaps it sounds like a last-ditch solution, but it’s also possible to have your network administrators automatically receive a notification when they detect unidentified connected devices or activity.

Get to know your security software or the vendor you work with for your Internet architecture. And if they don’t know what you’re talking about when you mention IoT vulnerabilities or the Shadow IoT, run in the other direction and find somebody who knows what they’re talking about.

Use This as an Opportunity

As we’ve seen, the threat is real. But so are the opportunities the Internet of Things brings to households and organizations alike. The message here is not that technology has leaped beyond our ability to control it. The takeaway is that maintaining Internet security, like everything else in life, requires ongoing learning and vigilance.

Kayla Matthews is a technology journalist with an interest in tech innovation and the IoT. She is a senior writer for MakeUseOf and owner of the tech productivity blog Productivity Bytes. You can read more of her work on Hackernoon,, and Triple Pundit.