In today’s workplace, many companies have embraced the use of the Internet of Things (IoT). This network of devices, from fitness trackers, appliances to CCTV cameras carry sensors and software to enhance safety and infrastructure management. However, these same devices present a serious and often overlooked risk of compromise of personal or sensitive data by a range of threat actors. The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), along with international agencies, have consistently highlighted the growing threats posed by state-sponsored cyber groups and hackers like APT40, particularly concerning IoT devices.
The prevalence of IoT
Some hardware comes pre-installed with vulnerabilities that can be remotely activated or backed up. Kia and Hyundai collect voice recognition data from their cars and sell it to AI training companies. Communications Minister Michelle Rowland has reminded consumers to stay alert to the ways their technology is harvesting personal data. “It’s not only cars, it’s a number of internet connected devices that are in fact collecting a lot of data and a lot of personal information that people might not be aware of.”
These devices serve vital functions such as monitoring the environment (CO2 levels, temperature), enabling quick response (to accidents and incidents) and safeguarding infrastructure (CCTV). But while these benefits are clear, the security risks they pose are often underestimated. With devices continuously connected to corporate networks, they create multiple points of vulnerability, offering cyber actors numerous ‘backdoor’ entry points.
The ASD has flagged the exploitation of IoT devices, such as CCTV cameras, by foreign cyber actors. In a notable case, these backdoor traps were exploited to infiltrate an organisation’s network, allowing for extensive surveillance and data extraction. The same CCTV systems designed to ensure security were paradoxically used as tools for cyber espionage.
In our workplaces
This issue becomes even more pronounced when considering the scale of data collection in a workplace. IoT devices are embedded throughout many modern office environments, collecting vast amounts of data on everything from employee movements to environmental conditions. Air quality sensors to employee-tracking systems that monitor foot traffic. As these devices communicate across the Internet and store data in cloud systems, they become prime targets for adversaries seeking to gain access to confidential business operations, research, or intellectual property.
Unlike our ICT networks, there is currently far less security applied to such devices. The recent ASD Cyber Threat report further emphasises the need to compartmentalise critical security systems from general workplace IoT networks. Without stringent cybersecurity measures, these devices can serve as vectors for attacks, with foreign powers exploiting their access to gain valuable corporate intelligence.
A recent 2024 assessment by US intelligence agencies (FBI, CNFM and NSA) warned that (PRC)-linked cyber actors have, “compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity.”
An example of this occurred in 2021 when security agencies detected a vulnerability in several Chinese made CCTV cameras, which allowed for a cyber actor to take full control of the device remotely and undetected by the operator. This vulnerability has since been addressed.
More than data – physical infrastructure
By manipulating seemingly innocuous devices, such as smart thermostats or connected lighting systems, attackers can access broader IT systems, potentially compromising sensitive corporate data. This could also include the compromise of industrial SCADA systems, which control critical infrastructure operating mechanisms.
While IoT devices are essential for modern workplaces to enhance safety and improve operational efficiency, organisations must remain aware of the associated risks. Proactive security strategies like regular patch management, network segmentation, and comprehensive security audits are crucial in mitigating these risks. Companies must ensure that the technology protecting their staff and infrastructure doesn’t become an entry point for espionage, endangering the very assets it was designed to safeguard.
At Providence Consulting, we help organisations identify and mitigate these risks with independent security reviews, tailored risk assessments, and annual penetration testing—an approach already being adopted across government sectors. We support you in securing your technology before it secures a backdoor for someone else. Have a think about the technologies in your workplace that might seem harmless but could be exposing valuable information or providing the means to gain even more.
View our other articles:
