Internet of Things (IoT) and Cyber Security

What Is IoT And How Do Hackers Infiltrate Your Devices?

An increasing number of companies are installing Internet of Things (IoT) devices on their networks. IoT devices are typically “black box” devices, the inner workings of which are unknown to most users. For example, HVAC systems, smart fridges, computer printers, and even cars can contain IoT-enabled technology that connects through WiFi or cellular and therefore can be considered IoT devices.
With PCs, there are many different types and manufacturers, but most of them run via Windows, MacOS or Linux.  In contrast, there are about as many unique operating systems for IoT devices as there are manufacturers.
It is currently estimated that approximately two million IoT devices are vulnerable to complete takeover, according to Threatpost. Hackers can discover vulnerabilities of these devices or their manufacturers through documents published on the internet or by monitoring communication to and from your IoT devices.

Which Common Devices Are At Risk?

HVAC Systems

HVAC systems often reside on the company’s internal network and can be capable of remote and internet connections. This device is not secured, which means an outsider may be able to breach the HVAC system. While it is only a heating and cooling mechanism, the innocence of the breach is deceptive. Hackers can use this device to obtain access to other parts of an organization’s network.
For example, in the Target data breach of 2013, it is suspected that hackers stole credentials from the retail chain’s HVAC company in order to access the network. Hackers then used this network access to steal customer credit card data. According to USA Today, this breach affected 41 million customer accounts and forced Target to pay $18.5 million in the settlement.

Multi-Function Copier (MFC) Devices

Multi-function copier (MFC) devices, such as computer printers, are vulnerable. Once a hacker gains access, they can view items that have already been printed and receive unlimited access to future print items.
Some companies have taken extra precautions to protect their print jobs, including providing each employee with an individual PIN number in order to start their print/copy job. While this strategy does help to reduce the number of printed pages left on the printer for an extended period of time, hackers can still use brute force methods to gain access. This brute force approach relies mainly on automated programs that are able to enter a large quantity of combinations at once in order to find the desired PIN.
Hackers can further infiltrate the MFC devices if they possess internet access. Using the device’s internet capabilities, they can send employees’ print jobs to other locations. These locations could include other computer printers, or other virtual file folders.

What Countermeasures Can You Deploy?

AAFCPAs advises clients to understand the connections and data that their IoT devices generate, and to ensure security is regularly assessed and tested.

Vulnerability Scan

IoT devices are black box systems, and companies must identify and understand security risks in order to determine appropriate countermeasures. AAFCPAs conducts vulnerability scans for clients to identify, examine, and classify their IoT devices, connections, configurations, and monitor the types of data transmitted.
The results of the vulnerability assessment are analyzed by AAFCPAs’ cyber security team to advise on necessary steps to protect your organization, secure the IoT devices from potential hacker exploits, and keep your sensitive data safe. AAFCPAs recommends that organizations conduct a vulnerability scan on a quarterly basis and each time a new type of device is added to the network, as this constitutes an infrastructure change.

Network Inventory

IT staff should be aware of all devices on the network in order to understand their capabilities and determine any potential updates for those devices. AAFCPAs can conduct an inventory of all devices currently on your network.
When new devices are introduced to the network, your organization should review applicable IT policies and procedures, such as the written information security policy (WISP). For example, if a new camera is added to your network, your IT staff must confirm if the physical security policy is still applicable. If your organization’s WISP requires antivirus protection to be installed on all devices on your network, but these new cameras are not capable of having endpoint protection installed, then you would need to identify compensating or mitigating controls so the new devices do not create risks for the company.

Remain Vigilant

Your best line of defense in protecting your organization’s IoT devices from hackers is identifying all of the devices that reside on your organization’s network and understanding their vulnerabilities. AAFCPAs advises clients to remain vigilant and scan your network for potential cyber security risks.
To schedule a cyber security assessment, or for specific advice on IoT devices and how to best protect sensitive data, please contact James Jumes at 774.512.4062,, Mr. Anderson at, or your AAFCPAs partner.

About the Authors

Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation. 
James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.