The 2015 Internet of Things in the Enterprise Report

Security for the way

the world works today.

About OpenDNS
OpenDNS is a leading provider of network security and DNS services, enabling the world to connect to the Internet
with confidence on any device, anywhere, anytime. The Umbrella cloud-delivered network security service blocks
advanced attacks, as well as malware, botnets, and phishing threats regardless of port, protocol, or application.
Its predictive intelligence uses machine learning to automate protection against emergent threats before they can
reach customers. OpenDNS protects all devices globally without hardware to install or software to maintain. For
more information, please visit: www.opendns.com.

About OpenDNS Security Labs

At OpenDNS Security Labs we thrive on continual innovation. But we don’t simply look at data from new threats
and ask ourselves, “If we had known that before, what would we have done differently?” We look at our extensive
data collection network built on top of the largest security infrastructure and predict what’s coming next. We’re
a team of world-class engineers, mathematicians, and security researchers, and we’re taking an innovative and
proactive approach to security research. More than any other area of technology, we see history repeat itself
most often in information security. The way we have traditionally defended against malware has become a cycle:
new technologies are created and adopted, attackers leverage the opportunity to expand the attack surface, and
security solutions are released in reaction to the latest threats. But this method is tired, and we can do better.
Our goals are simple: to continually innovate ahead of the pace of technology change and build the best security
protection and security delivery network platform possible without compromising performance or productivity.

OpenDNS Security Labs authored this report. Any questions about the methodology
should be addressed to Andrew Hay, Director of Security Research, OpenDNS,
[email protected].

OpenDNS The 2015 Internet of Things in the Enterprise Report  2

Preamble
It is a popular belief that security companies and researchers report on events in a manner that is over-hyped,
exaggerated, and miscommunicated. Often, that’s true. Some security companies seek to grab the industry’s
attention with sensational blog headlines. We can say with confidence that we do things differently. The analysis
and findings we will present are driven by evidence and technology facts. The report will not include hearsay,
rumors, or obvious predictions around events or circumstances. When there is cause for alarm, we present reason
and advice based on facts stemming from our data. We aim to provide proof-points, relevance, and pervasive
evidence with our research, and you can hold us to that.

More information about the core values and beliefs of OpenDNS Security Labs can be viewed on our blog at
https://labs.opendns.com/about-us/.

We acknowledge that security research is often loaded with fear, uncertainty, and doubt (FUD). This report is about
visibility into IoT communications and highlights potential problems before the connected landscape becomes
unmanageable. This report is NOT FUD.

Visibility is a foundation of security and is critical in understanding the organization’s security posture and overall
risk profile. One cannot measure risk without first having visibility into what is happening.

Privacy Statement
Due to the size of the data, with often more than 70 billion daily DNS queries, OpenDNS Security Labs chose
to limit the scope of research by performing statistically relevant sampling of the data at regular intervals on the
15th day of February, March, and April in 2015. All data was meticulously sanitized so as not to reveal client IP
addresses or individual company names. Should you have any concerns regarding the privacy or security of the
analyzed data or employed methodology, please email [email protected].

Vendor Outreach
During our research we reached out to several vendors to foster an environment of sharing and collaboration.
Unfortunately, Western Digital and ioBridge did not return our calls, emails, or acknowledge our social media
outreach attempts. Axeda, a PTC company, and mnubo, however, were far more open to working with us on our
findings. It should be noted, however, that no new exploitation details for the surfaced vulnerabilities have been
released that have not otherwise been published previously.

OpenDNS The 2015 Internet of Things in the Enterprise Report 3

Contents
5 Executive Summary
6 Key Findings
7 Methodology
9 External Data Enrichment
9 SHODAN
9 MaxMind GeoIP GeoLite2 Database
10 Sample Size and Geographic Distribution
11 IoT Taxonomy
12 Findings
12 Client Industry Verticals
15 IoT Domains Queried
17 Samsung Smart TVs
26 Dropcam and Nest
39 Logitech
42 IoT Infrastructure
42 IoT Hosting Providers
43 Autonomous Systems
45 Geographic Location of IoT Hosting Infrastructure
46 Internet Neighborhood Quality
47 Discovered Open Ports and Vulnerabilities
70 IT Professional and Consumer Survey Results
71 Implications
71 IoT Devices Are Everywhere
71 Three Risks to the Enterprise
72 Dealing with IoT Device Deluge
74 Appendix A: Index of Assessed Companies
76 Appendix B: SHODAN Data Features Utilized
Executive Summary
The Internet of Things (IoT) is actively transforming nearly every industry. With low-cost sensors proliferating devices
in constant use by consumers and companies, IoT is expected to change the way we live our lives and manage our
businesses. As an unprecedented amount of data is collected and monitored through Internet connected devices, IoT
delivers benefits such as seamless automation, optimized resource consumption, increased situational awareness,
and the immediate control and response of complex systems. In its current state, IoT is the start of a data-driven
evolution in engineering and science—and it’s only a glimpse of what’s possible.

The rise of IoT has catalyzed the creation of myriad surveys, expert predictions, and conference presentations about
the potential impact on enterprise security. While some IT leaders claim to be prepared for the march of a growing
number of Internet-connected devices onto their networks, others report having no plan at all. In addition, the lack
of concrete data has made the industry discussion largely speculative. Security and IT professionals–whether they
acknowledge it or not–face a cloud of obscurity in attempting to protect employees and customers from attack without
knowing exactly where and how IoT devices expose their networks to costly attacks.

Leveraging a data-driven methodology, this report explores the potential security risks surrounding IoT devices
connected to enterprise networks. The aim of our research is to heighten the awareness of IoT devices in business
network environments and the possible security threats they may pose to privacy, national security, and economic
stability. What follows is the analysis of our unique IoT viewpoint through a global DNS infrastructure.

This report covers our methodologies of data discovery, red flags for IT professionals regarding the security of IoT
devices, key takeaways, and suggestions for how to manage IoT deployed in an enterprise environment. It also
includes a contextual survey with responses from more than 500 IT and security professionals.

Our findings indicate that most company leaders, including the IT and security professionals charged with protecting
valuable and confidential information, are not fully aware of the scale of IoT presence within their networks. This
lack of awareness may also be fueling a misunderstanding or underestimation of how insecure IoT devices are. It is
imperative for IT security professionals to know which devices are unsafe, how to manage and patch them, and how
to prevent them from visiting harmful or malicious network infrastructures. However, many IT professionals do not
even seem to have a clear definition of what constitutes an IoT device.

Our findings uncover the extent to which IoT permeates nearly every major market vertical including energy
infrastructure, healthcare, education, consumer electronics, manufacturing, defense, government, financial
institutions, and retail, among others.

It’s worth noting that the intention of this report is not to scare or shock the public. It is meant to provide an
unprecedented data-driven view of IoT based on real data that security professionals can use to gain better
understanding, help educate company business decision makers, and to plan for an IT security future that includes
ubiquitous IoT devices.

For more information on how we defined IoT and its devices for this report, see the methodology section.

OpenDNS The 2015 Internet of Things in the Enterprise Report  5

 Key Findings

Though our report discovered an extensive number of concerning and important findings, the following seven are
the most significant.

1. As stated in the summary, IoT devices are actively penetrating some of the world’s most regulated industries
including healthcare, energy infrastructure, government, financial services, and retail.

2. Our analysis identified three principal risks that IoT devices present in protecting network environments with IoT
devices: (1) IoT devices introduce new avenues for potential remote exploitation of enterprise networks;
(2) the infrastructure used to enable IoT devices is beyond both the user and IT’s control; (3) and IT’s often
casual approach to IoT device management can leave devices unmonitored and unpatched.

3. Some infrastructures hosting IoT data are susceptible to highly-publicized and patchable vulnerabilities such as
FREAK and Heartbleed.

4. Highly prominent technology vendors are operating their IoT platforms in known “bad Internet neighborhoods,”
which places their own customers at risk.

5. Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital
“My Cloud” storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon
out to servers in the US, Asia, and Europe–even when not in use.

6. Though traditionally thought of as local storage devices, Western Digital cloud-enabled hard drives are now
some of the most prevalent IoT endpoints observed. Having been ushered into highly-regulated enterprise
environments, these devices are actively transferring data to insecure cloud servers.

7. And finally, a survey of more than 500 IT and security professionals found that 23 percent of respondents have
no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s
networks.

OpenDNS The 2015 Internet of Things in the Enterprise Report  6

Methodology
This report is the result of detailed analysis of domain name system (DNS) queries using the global OpenDNS
network. As one of the largest recursive DNS providers, OpenDNS resolves and routes more than 70 billion
Internet requests daily, as shown in Figure 1 - Total Activity: Number of DNS Requests Per Day in Billions1.
These requests come from approximately 50 million active consumer and enterprise users across more than
160 countries. This diverse data set reveals billions of combinations of domain names, origin IP addresses, and
destination IP addresses.

Figure 1 - Total Activity: Number of DNS Requests Per Day in Billions1

OpenDNS is able to handle this amount of traffic due to its large, geographically diverse network of 25 global
data centers. More detailed information about the location of OpenDNS’ data centers is available at https://www.
opendns.com/data-center-locations/.

Due to the size of the data, with often more than 70 billion daily queries resulting in more than 10TB of data each
day, OpenDNS Security Labs chose to limit the scope of research by performing statistically relevant sampling
of the data at regular intervals on the 15th day of February, March, and April in 2015. All data was meticulously
sanitized so as not to reveal client IP addresses or individual company names.

1 Source: http://system.opendns.com/ on Friday, May 1, 2015 at 7:21 AM PST

OpenDNS The 2015 Internet of Things in the Enterprise Report  7

The DNS queries observed represented any fully qualified domain names (FQDNs) associated with the identified
list of parent domain names. For example, the domain fitbit.com would yield a number of subsequent FQDNs with
different hostnames as illustrated in Figure 2 - Example of Fully Qualified Domain Names for fitbit.com.

Figure 2 - Example of Fully Qualified Domain Names for fitbit.com

android- client.
fitbit.com

www.fitbit.com iphone- client.

fitbit.com

fitbit.com

client.fitbit.com api.fitbit.com

The complete list of parent domain names used for this research project are available in Appendix A: Index of
Assessed Companies. A number of FQDNs will be highlighted throughout this report. Some of the researched FQDNs,
however, have direct association with specific OpenDNS customers and their internal users. OpenDNS Security Labs
has chosen not to publish FQDNs for IoT devices that directly identify individuals, in order to protect their privacy.

The list of queried FQDNs were enriched with intelligence from OpenDNS, SHODAN, and MaxMind’s respective
data repositories.

Though our logging is extensive, research for this report required only a few elements of the DNS query logs–the
client IP address, the organizational identifier (OrgID), the FQDN, and the total number of queries for the client
IP address and FQDN combination. We used the OrgID to help subset the query log information to differentiate
between OpenDNS customers with paid and those with unpaid accounts.

We then enriched the data from paying customers (including those engaged in an active trial) by mapping the OrgID to
the registered company, its employee count, and industry vertical in which it operates. To pinpoint focus on SMB and
enterprise customers, we removed premium home users and other non-customer servicing industries from the data set.

Leveraging these intelligence repositories, OpenDNS was able to add context from our proprietary reputation,
predictive intelligence, and threat model data. We also combined OpenDNS business intelligence data such as
company name, industry vertical, and company size with geographic IP location, reported vulnerabilities and
exposures, and IoT infrastructure operating system information from external partners.

OpenDNS The 2015 Internet of Things in the Enterprise Report  8

External Data Enrichment
Primarily we used two external databases to enrich the FQDN-related findings: SHODAN and the MaxMind GeoIP
GeoLite2 Database.

SHODAN
SHODAN is a search engine used to discover specific computers (routers, servers, etc.) using a variety of filters.
Some have also described it as a public port scan directory or a search engine of “banners” (metadata that the
server sends back to the client). This metadata can be information about server software, what options the service
supports, a welcome message, or anything else that the client needs to know before interacting with the server.

Observed IoT FQDNs were checked against the SHODAN API. From the resulting JSON data, we choose to utilize
several features for our research. These features are detailed in Appendix B: SHODAN Data Features Utilized.

More information about SHODAN can be found at http://www.shodanhq.com/.

MaxMind GeoIP GeoLite2 Database

MaxMind provides IP intelligence through the GeoIP brand. GeoIP GeoLite2 databases are free IP geolocation
databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. GeoLite2 databases are updated
on the first Tuesday of each month.

This research includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com, to add IP-
based geolocation information for client queries and IoT targets.

OpenDNS Security Labs leveraged the GeoIP GeoLite2 database to provide relatively accurate geolocation data for
both client IP addresses and IoT infrastructure. As there was some overlap between the GeoIP GeoLite2 database
and SHODAN results, we chose to assign geographic-to-IP mapping authority to MaxMind’s database.

OpenDNS The 2015 Internet of Things in the Enterprise Report  9

Sample Size and Geographic Distribution
Using the MaxMind GeoIP GeoLite2 database, we plotted the query location as determined by the IP address
mapping. An initial list of 561,816 IoT client query IP addresses was narrowed-down to a list of 68,044 client
query IP addresses which originated from within enterprise networks, depicted in Figure 3 - Client FQDN Queries
For Enterprise Customer Data Population. This distribution shows an expected pattern of client query counts
from Australia, Europe, and North America. Clusters of queries were also found in Latin and South America, the
Caribbean, Africa, and Asia. It should be noted that this disparity may be representative of regions where OpenDNS
has had more successful market penetration or has focused market efforts.

The disparity could also, however, be more representative of regions where enterprises are allowing, or at least not
discouraging, penetration of IoT devices into corporate networks.

Figure 3 - Client FQDN Queries For Enterprise Customer Data Population (n = 68,044)

OpenDNS The 2015 Internet of Things in the Enterprise Report  10

IoT Taxonomy
A relatively succinct IoT Taxonomy was utilized to classify the types and variations of connected devices observed
during the research project. The full list can be seen in Table 1 - IoT Taxonomy.

Table 1 - IoT Taxonomy

CATEGORY TYPE

ll Fitness
ll Toys
Personal Electronics
ll Gadgets
ll Other

ll Large Appliances
ll Small Appliances
Consumer Appliances
ll Entertainment
ll Other

ll External Home/Office
ll Power Management
Home/Office Automation
ll HVAC
ll Other

ll Audio/Video
ll Physical Locks
Security & Monitoring ll Alarm System
ll Environmental Monitors
ll Other

ll IoT Management Platform

Platform
ll Other

Every effort was made to fit a device and associated domain into an appropriate category and type for the purposes
of this research. Typical IT and consumer equipment that relies on Internet connectivity to function properly were
not classified as IoT devices, for purposes of this analysis. These non-IoT devices include servers, PCs, tablets, and
smartphones, to name a few.

OpenDNS The 2015 Internet of Things in the Enterprise Report  11

Findings

Client Industry Verticals

To better understand the types of organizations querying IoT devices, OpenDNS Security Labs engaged OpenDNS’s
business intelligence team to help map the industry verticals to the unique customer identifiers. This mapping of
verticals allows us to summarize and present our findings while protecting the privacy of our customers and their
users.

There were 56 distinct industry verticals identified in our data set in addition to an “Other” category for industries
that our business intelligence team didn’t have a 1:1 mapping for.

ll Accounting, HR, and Admin ll Hospitality

ll Advertising, Communications, and PR ll Insurance
ll Aerospace, Weapons, Defense Contractors ll ISP
ll Agriculture ll IT Services
ll Apparel ll Legal Services
ll Biotechnology ll Leisure
ll Business Services ll Libraries
ll Chemicals ll Machinery
ll Churches and Houses of Worship ll Managed Service Providers
ll Communications ll Manufacturing
ll Computer Software ll Media
ll Construction and Architecture ll Mining/Raw Materials
ll Consulting ll Non-Profit
ll Consumer Products ll Not for Profit
ll Distributor and Wholesaler ll Oil and Gas
ll Education ll Other
ll Education: K-12 ll Pharmaceutical manufacturers
ll Electronics ll Professional Services
ll Energy/Utilities ll Property Management
ll Engineering ll Real Estate
ll Entertainment ll Recreation
ll Environmental ll Restaurants
ll Financial Services ll Retail
ll Food & Beverage ll Services
ll Government ll Technology
ll Health Insurance ll Technology Reseller
ll Healthcare ll Telecommunications
ll Higher Education ll Transportation, Shipping, and Logistics

OpenDNS The 2015 Internet of Things in the Enterprise Report  12

The query counts by industry verticals, totaling 68,044, are depicted in Figure 4 - Industry Verticals by Total
Query Count.

Figure 4 - Industry Verticals by Total Query Count

OpenDNS The 2015 Internet of Things in the Enterprise Report  13

The top three industry verticals represented in our research, by query count, are education, managed service
providers, and healthcare.

Higher Education: Colleges not only use IoT devices and applications to change campus life and learning, but
students and faculty are also developing innovative IoT applications that will help other industries. For example,
colleges use software to manage campus-wide emergency communication, students use smartphones to check
whether washers are free in dorms, and biology labs use apps to track freezer temperatures and the status of
experiments.

Managed Service Providers: Managed Service Providers deploy and make use of IoT devices to manage and
monitor clients’ hosted environments. For example, security systems, webcams, video monitoring systems, TVs,
etc. are now IoT enabled.

Healthcare: Healthcare providers leverage IoT devices to make patient health monitoring, diagnostics, and care
more timely and convenient. For example, MRI machines, ambulance equipment, and even pacemakers are
now IoT enabled. There are also new inventions like connected pill bottles to help ensure patients take their
medications.

The total query counts by industry vertical is detailed in Table 2 - Top 3 Industry Verticals by Total Query Count.

Table 2 - Top 3 Industry Verticals by Total Query Count

INDUSTRY VERTICAL TOTAL QUERY COUNT

Higher Education 6,451

Managed Service Providers 6,298

Healthcare 5,557

Many other verticals including retail, financial services, hospitality, and energy infrastructure use IoT to
increase efficiency and visibility into business operations. For example, there are now applications to track
water consumption, technologies to wirelessly power IoT devices, and IoT enabled devices such as door locks,
thermostats, mini-fridges, and light switches.

OpenDNS The 2015 Internet of Things in the Enterprise Report  14

IoT Domains Queried
Our research showed 879 unique IoT infrastructure-related FQDNs queried. Several hostnames were excluded
from the analysis, as we believed them to be unrelated to the IoT infrastructure we are investigating. Examples of
removed hostnames included: www, buy, careers, community, docs, download, email, forums, ftp, help, news,
newsletter, ns, ns-1, ns-2, shop, and wpad.

Due to the number of queried FQDNs, combined with the limited chart width available, Figure 5 - Queried FQDNs
With A Query Count >= 100 shows the FQDNs with a total query count of 100 or more.

Figure 5 - Queried FQDNs With A Query Count >= 100

OpenDNS The 2015 Internet of Things in the Enterprise Report  15

A closer look at the top 30 queried FQDNs can be seen in Table 3 - Top 30 Queried FQDNs.

Table 3 - Top 30 Queried FQDNs

DOMAIN QUERY COUNT DOMAIN QUERY COUNT

gld.push.samsungosp.com. 6342 desktop-client.fitbit.com. 1397

api.samsungosp.com. 6028 client.fitbit.com. 1314

us-odc.samsungapps.com. 5227 updates.logitech.com. 1243

vas.samsungapps.com. 4306 hub-odc.samsungapps.com. 850

eu2-scloud-proxy.ssp.samsungosp.com. 4228 nexusapi.dropcam.com. 729

iphone-api.fitbit.com. 3853 weather.nest.com. 457

iphone-client.fitbit.com. 3500 ca-odc.samsungapps.com. 436

hub.samsungapps.com. 3066 uk-odc.samsungapps.com. 426

android-api.fitbit.com. 2867 img.samsungapps.com. 389

desktop-static.fitbit.com. 2677 wearable.samsungapps.com. 301

android-client.fitbit.com. 2587 bwhome.logitech.com. 299

iedc.fitbit.com. 2513 bwsnotif01.logitech.com. 291

auth.samsungosp.com. 2347 bwsupdate01.logitech.com. 291

sc-auth.samsungosp.com. 1624 brinks.axeda.com. 274

mkt-odc.samsungapps.com. 1413 bwsregister01.logitech.com. 221

The majority of queries originated from Samsung, Fitbit2, Dropcam, Nest, Logitech, and Axeda Machine Cloud
devices.

2 The majority of Fitbit queries appeared to be originating from desktop software or synchronized mobile devices uploading fitness information to
the Fitbit cloud infrastructure. Due to the nature of Fitbit devices and our desire to focus on non-mobile IoT traffic, we will not be covering the
devices in this report.

OpenDNS The 2015 Internet of Things in the Enterprise Report  16

Samsung Smart TVs
Lately in the business world, smart televisions are frequently deployed in boardrooms, replacing overhead
projectors. Many offices also use them in common areas as active signage for advertising or employee/location
information. In fact, Samsung Smart TVs garnered headline news in February of 2015 as a result of a discovery
buried within the company’s privacy policy3. According to an article written by Shane Harris4, the policy (which has
since been reworded5) stated:

“Please be aware that if your spoken words include personal or other sensitive information, that
information will be among the data captured and transmitted to a third party through your use
of Voice Recognition.”

In a written response from Samsung–added as an update to the Harris article–the company stated that voice
recognition which allows the user to control the TV using voice commands is a Samsung Smart TV feature, which
can be activated or deactivated by the user. Samsung noted that the TV owner can also disconnect the TV from
Wi-Fi. As removing the Smart TV from the network defeats the purpose of having a Smart TV, we suspect that few
organizations follow this particular recommendation.

In an effort to focus our research on Samsung Smart TV-related domains we decided to obtain a TV (model
UN32H5203AF) and test. The software running the Smart TV was version 1117 which was the most current as
of the date of testing (05-May–2015). This configuration is representative of the 2014/2015 Samsung Smart TV
lineup.

As one might expect, the device’s default configuration regularly updates installed applications to ensure content is
fresh (latest videos, most recent application, etc.). To examine the initial hypothesis that a typical Smart TV actively
beacons (or calls out to external addresses) without user interaction, we conducted a step-by-step examination of
the network traffic.

Lately in the business

world, smart televisions
are frequently deployed
in boardrooms, replacing
overhead projectors.

3 http://www.samsung.com/sg/info/privacy/smarttv.html?CID=AFL-hq-mul-0813-11000170
4 http://www.thedailybeast.com/articles/2015/02/05/your-samsung-smarttv-is-spying-on-you-basically.html
5 https://web.archive.org/web/20150210055437/http://www.samsung.com/sg/info/privacy/smarttv.html?CID=AFL-hq-mul-0813-11000170

OpenDNS The 2015 Internet of Things in the Enterprise Report  17

To gain a sense of just how talkative these devices are, Figure 6 - Industry Verticals Querying Samsung Smart
Television FQDNs depicts the total number of queries for the identified FQDNs being queried by the Samsung
Smart TVs.

Figure 6 - Industry Verticals Querying Samsung Smart Television FQDNs

OpenDNS The 2015 Internet of Things in the Enterprise Report  18

As part of our research on our test Smart TV, OpenDNS Security Labs discovered regular communications with a
particular FQDN: xpu.samsungelectronics.com. This appears to be the best way to determine whether a Samsung
Smart TV actively communicates with the Internet. Communication to the aforementioned domain displays the
rough pattern of 10 communication attempts, five minutes apart, followed by a 45-minute delay before attempting
another 10 times.

We discovered this pattern by observing communications with each Smart TV related domain on a minute by
minute basis. The query volume associated with this FQDN is depicted in Figure 7 - OpenDNS Investigate DNS
Queries for xpu.samsungelectronics.com.

Figure 7 - OpenDNS Investigate DNS Queries for xpu.samsungelectronics.com

The FQDN is closed to the outside world, as seen in Figure 8 - Scan Results for xpu.samsungelectronics.com,
and likely is used solely for a statistical IP-based check-in running count, or it relies on earlier queries in the
sequence to grant access for a particular IP address.

Figure 8 - Scan Results for xpu.samsungelectronics.com

$ sudo nmap -Pn xpu.samsungelectronics.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-14 08:28 PDT

Nmap scan report for xpu.samsungelectronics.com (54.235.219.101)
Host is up (0.093s latency).
rDNS record for 54.235.219.101: ec2-54-235-219-101.compute-1.amazonaws.com
Not shown: 999 filtered ports
PORT STATE SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 24.64 seconds

OpenDNS The 2015 Internet of Things in the Enterprise Report  19

Figure 9 - Industry Verticals by Country Querying xpu.samsungelectronics.com depicts the counts of queries
to the xpu.samsungelectronics.com FQDN for the identified industry verticals, and the origin of those queries
by country.

Figure 9 - Industry Verticals by Country Querying xpu.samsungelectronics.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  20

The thickness of the ribbon indicates the query count by country and industry vertical respectively. As you can see
from the analysis, a number queries originated from healthcare, restaurants, energy, retail, and apparel companies
were observed querying the xpu.samsungelectronics.com FQDN. Of these querying verticals, the United States was
observed as the primary query source country.

Another curious finding was continued queries to infolink.pavv.co.kr, depicted in Figure 10 - OpenDNS Investigate
DNS Queries for infolink.pavv.co.kr, which follows the same query pattern as xpu.samsungelectronics.com.

Figure 10 - OpenDNS Investigate DNS Queries for infolink.pavv.co.kr

Samsung is headquartered in South Korea. As such, it should be no surprise that its software may beacon out
to FQDNs associated with that country. However, we suspect that individuals with Samsung Smart TVs would be
surprised by the rate and volume of these queries.

According to a Wikipedia article6, in the years from 2007 to 2010 Samsung debuted a service called Internet
TV, then renamed or altered the service to various new names, including new functions along the way. In 2009
Samsung developed the Power Infolink service, and the latest iteration of connected TV was named Internet@TV in
2010. The service allows users to download applications from an app store, among other connected functions.

A Google search for “samsung infolink” returns about 428,000 results. Unfortunately, all of the Samsung hosted
links no longer point to live content. A search on the Samsung site7 for “infolink” returns only 2 pages - both of
which are press releases from June8 and August9 in 2010.

6 http://en.wikipedia.org/wiki/Samsung_Electronics
7 http://www.samsung.com/us/search/espsearch.us?keyword=infolink
8 http://www.samsung.com/us/news/newsRead.do?news_seq=19705
9 http://www.samsung.com/us/news/newsRead.do?news_seq=19722

OpenDNS The 2015 Internet of Things in the Enterprise Report  21

Lack of accessible content leaves us with questions. Has this feature been replaced by newer technology? Could
this be legacy code that was never removed from the Samsung Smart TV software? OpenDNS Security Labs
reached out to Samsung for clarification but did not receive a response at the time of this report’s publication.

Whether Infolink is a remnant of previous releases or not, OpenDNS Security Labs decided to look deeper into the
FQDN due to the number of automated queries observed.

The infolink.pavv.co.kr FQDN has only 3 ports open, as seen in Figure 11 - Scan Results for infolink.pavv.co.kr,
with HTTP and HTTPS open to the world.

Figure 11 - Scan Results for infolink.pavv.co.kr

$ sudo nmap -Pn infolink.pavv.co.kr

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-14 08:04 PDT

Nmap scan report for infolink.pavv.co.kr (207.36.95.10)
Host is up (0.079s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
5060/tcp filtered sip

Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds

OpenDNS The 2015 Internet of Things in the Enterprise Report  22

Though the pavv.co.kr domain resides in South Korea (203.254.223.7) the infolink host resides in a datacenter in
Chicago, IL (207.36.95.10). Less alarming, but still curious. We did discover, however, that the server was using an
untrusted certificate10 as seen in Figure 12 - SSL Certificate Validation for infolink.pavv.co.kr

Figure 12 - SSL Certificate Validation for infolink.pavv.co.kr

10 https://support.mozilla.org/en-US/kb/connection-untrusted-error-message

OpenDNS The 2015 Internet of Things in the Enterprise Report  23

A manual validation of the certificate can be seen in Figure 13 - SSL Validation Results for infolink.pavv.co.kr
This shows that the certificate is not trusted.

Figure 13 - SSL Validation Results for infolink.pavv.co.kr

$ openssl s_client -connect infolink.pavv.co.kr:443

CONNECTED(00000003)
depth=0 CN = infolink.pavv.co.kr, O = Samsung Electronics, C = KR, ST = Kyong-gi, L = Suwon
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = infolink.pavv.co.kr, O = Samsung Electronics, C = KR, ST = Kyong-gi, L = Suwon
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = infolink.pavv.co.kr, O = Samsung Electronics, C = KR, ST = Kyong-gi, L = Suwon
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=infolink.pavv.co.kr/O=Samsung Electronics/C=KR/ST=Kyong-gi/L=Suwon
i:/CN=Samsung Hubsite CA/O=Samsung Electronics/C=KR/ST=Kyong-gi/L=Suwon
---

<clipped>

OpenDNS The 2015 Internet of Things in the Enterprise Report  24

If the server is in production, the company should consider creating a valid certificate, especially given the number
of highly regulated industries observed querying the FQDN as seen in Figure 14 - Industry Verticals by Country
Querying infolink.pavv.co.kr.

Figure 14 - Industry Verticals by Country Querying infolink.pavv.co.kr

OpenDNS The 2015 Internet of Things in the Enterprise Report  25

Nothing directly malicious was found in the examination of the Samsung Smart TV’s network communications,
however the behavior of the xpu.samsungelectronics.com does not fit into any logical use case. Additionally the
frequency with which the Smart TV makes requests to this domain makes it significantly easier for Samsung to
track the overall usage of the device.

It is our opinion that the average user does not expect their Smart TV to make incessant external calls to various
services without any interaction. The fact that a Smart TV does so almost every minute it’s powered on–even
without user interaction–is concerning because it makes the use of these devices much easier to determine from
outside a corporate network.

Dropcam and Nest

When people talk about IoT they often mean devices like Dropcam, Nest, or both.

Dropcam cameras provide live, streaming video accessible through a web app and mobile apps for iOS and
Android11. Video streams are encrypted and private by default, but users can also make video streams public.

In June 2014, Dropcam was acquired by Nest Labs. In September, Dropcam joined the Works with Nest program.
As part of this integration, when the Nest Protect alarm goes off the associated Dropcam camera records a clip of
the smoke or carbon monoxide event and saves it, regardless of whether the customer pays for Cloud Recording12.

Nest Labs is a home automation company headquartered in Palo Alto, Calif., that designs and manufactures
sensor-driven, Wi-Fi-enabled, self-learning, programmable thermostats and smoke detectors. On January 14,
2014, Google acquired Nest Labs for US$3.2 billion13.

NEST
Extensive research on Nest devices has been performed previously14. From that research, several observations
have surfaced. The Nest does frequent DNS lookups for a FQDN matching XXXX.transport.nest.com. Then it
makes a TCP connection to port 9543 which it seems to hold open. Nest communicates with the server over 9543
as does the web client.

“It is our opinion that the average user does not expect their Smart TV to make
incessant external calls to various services without any interaction. The fact
that a Smart TV does so almost every minute it’s powered on–even without user
interaction–is concerning because it makes the use of these devices much easier to
determine from outside a corporate network.”

11 http://en.wikipedia.org/wiki/Dropcam#Products
12 http://en.wikipedia.org/wiki/Dropcam#Products
13 http://en.wikipedia.org/wiki/Nest_Labs#History
14 https://learn.sparkfun.com/tutorials/nest-thermostat-teardown-

OpenDNS The 2015 Internet of Things in the Enterprise Report  26

In another detailed paper entitled Smart Thermostat Security: Turning up the Heat15 by Matthew Burrough and
Jonathan Gill of the University of Illinois at Urbana-Champaign, the following observations were recorded:

When not actively controlled by an end user, the Nest appears to be offline. The device does not
respond to ICMP Echo Requests, yet responds immediately to cloud-based temperature control
changes. TCP keep-alives are sent to transportXX.transport.nest.com:9543 every two minutes.

This will keep the [Port Address Translation] PAT entries updated to prevent a home router from
dropping the connection. Investigation of the file system shows utilities responsible for waking up the
wireless LAN controller based on the presence of packets originating from Nest transport servers or
when the motion sensors are triggered.

In order to perform a port scan against the thermostat, it is required that the thermostat be “awake.”
By interacting with the thermostat or triggering the motion sensors, persistent connections can be
made to the thermostat. However, no TCP or UDP ports appear to be open, in contrast to some of the
expectations based on Linux startup utilities.

Since the above research was performed, Nest has changed its FQDN format. Figure 15 - January 14, 2014
nslookup for transport.nest.com shows the original lookup response as performed and documented by Andrew
Hay at http://www.andrewhay.ca/archives/2419.

Figure 15 - January 14, 2014 nslookup for transport.nest.com

$ nslookup transport.nest.com

Server: 208.67.222.222
Address: 208.67.222.222#53

Non-authoritative answer:
transport.nest.com canonical name = transport.production.nest.com.
transport.production.nest.com canonical name = transport-service-production-909910888.us-east-1.
elb.amazonaws.com.
Name: transport-service-production-909910888.us-east-1.elb.amazonaws.com
Address: 107.20.222.81
Name: transport-service-production-909910888.us-east-1.elb.amazonaws.com
Address: 54.243.109.243

15 http://www.burrough.org/Documents/Thermostat-final-paper.pdf

OpenDNS The 2015 Internet of Things in the Enterprise Report  27

Amazon’s Elastic Load Balancing (ELB) was being used, likely to help distribute the load across multiple guest
instances. However, more recently, transport.nest.com disappeared as shown in Figure 16 - May 10, 2015
nslookup for transport.nest.com.

Figure 16 - May 10, 2015 nslookup for transport.nest.com

$ nslookup transport.nest.com
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can’t find transport.nest.com: NXDOMAIN

Based on DNS query results observed in our research, a new format for the transport FQDNs has emerged (with
some slight variations):

transport[01:04]-rts[01:12].iad01.transport.home.[ft].nest.com

It should be noted that 60 distinct variations of the new FQDNs were seen in the 879 DNS observed queries.
Examples of two of the domains are the following: transport01-rts08-iad01.transport.home.nest.com and
transport01-rts01-iad01.transport.home.ft.nest.com.

The results of an nslookup on both FQDNs can be seen in Figure 17 - May 10, 2015 nslookup For Two Nest
Transport FQDNs.

Figure 17 - May 10, 2015 nslookup For Two Nest Transport FQDNs

$ nslookup transport01-rts08-iad01.transport.home.nest.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
transport01-rts08-iad01.transport.home.nest.com canonical name = ec2-54-161-73-145.compute-1.
amazonaws.com.
Name: ec2-54-161-73-145.compute-1.amazonaws.com
Address: 54.161.73.145

$ nslookup transport01-rts01-iad01.transport.home.ft.nest.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
transport01-rts01-iad01.transport.home.ft.nest.com canonical name = ec2-54-221-75-69.compute-1.
amazonaws.com.
Name: ec2-54-221-75-69.compute-1.amazonaws.com
Address: 54.221.75.69

OpenDNS The 2015 Internet of Things in the Enterprise Report  28

It appears that the “transport” FQDNs continue to be hosted in Amazon EC2. What we are unsure of, however, is
the feature or functionality differentiation between the home.nest.com and the home.ft.nest.com FQDNs. Based on
OpenDNS Investigate research, the FQDNs share some commonalities, such as the name servers, as depicted in
Table 4 - Comparison Between home.nest.com and home.ft.nest.com Nameservers.

Table 4 - Comparison Between home.nest.com and home.ft.nest.com Nameservers

home.nest.com home.ft.nest.com

The two FQDNs differ considerably, however, in several other areas, as shown in Table 5 - Comparison Between
home.nest.com and home.ft.nest.com Traffic. Traffic volume and consistency are obvious with regards to home.
nest.com. Counts peak at more than 110,000 queries and follow a clear diurnal pattern, with weekday/weeknight/
weekend spikes and troughs. The other FQDN, home.ft.nest.com, has a much more flat query pattern that floats
on either side of the 500 query mark -- with some obvious spikes. A matching diurnal pattern does not materialize
for the home.ft.nest.com FQDN.

Table 5 - Comparison Between home.nest.com and home.ft.nest.com Traffic

home.nest.com home.ft.nest.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  29

IP addresses and Canonical Name records (CNAME) also differ quite a bit, with home.nest.com FQDNs shifting
between five CNAMEs for Amazon ELBs. The other, home.ft.nest.com, shows that the FQDN has only ever had an
Amazon ELB CNAME which was first observed by OpenDNS on February 7, 2015. This can be seen in Table 6 -
Comparison Between home.nest.com and home.ft.nest.com IPs and CNAMEs.

Table 6 - Comparison Between home.nest.com and home.ft.nest.com IPs and CNAMEs

home.nest.com home.ft.nest.com

The requester geo distribution differs quite a bit between the FQDNs, as seen in Table 7 - Comparison Between
home.nest.com and home.ft.nest.com Geo Distribution. The first FQDN, home.nest.com, has a fairly even
distribution across numerous countries. The second, home.ft.nest.com, only shows queries from US (87.14 %),
CA (4.29 %), GB (2.86 %), FR (2.86 %), and IE (1.43 %).

Table 7 - Comparison Between home.nest.com and home.ft.nest.com Geo Distribution

home.nest.com home.ft.nest.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  30

Several Nest-related API FQDNs were also observed. The Nest API is a near real-time data API, offering
subscription-based access to data shared by Nest devices. With the Nest API, you can build clients that access
Nest device data, and get the ability to read or write shared data values as detailed in Table 8 - Nest API
Endpoints and Features.

Table 8- Nest API Endpoints and Features

ENDPOINT FEATURE

ll View current temperature

ll View or set target temperature
ll Set fan timer
Nest Learning Thermostat
ll View or set temperature mode
ll View humidity
ll View online status and last connection information

ll View CO or smoke status

ll View battery health state
Nest Protect Smoke + CO Alarm ll View last manual test status and timestamp for last
manual test
ll View online status and last connection information

ll View a list of devices in the home

ll View energy event status (Rush Hour Rewards)
ll View or set Away state
ll View postal or zip code
Home
ll Set ETA
ll Write your product data to the Nest service with the
Resource Use API and share your energy savings in the
Nest Energy Report

Another Nest-related domain observed in our research was weather.nest.com which is used to sync local weather
information to Nest thermostats. A consistent and high query volume was observed for the FQDN as depicted in
Figure 18 - OpenDNS Investigate DNS Queries for weather.nest.com.

Figure 18 - OpenDNS Investigate DNS Queries for weather.nest.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  31

Like other Nest FQDNs, the weather.nest.com domain also utilizes an Amazon ELB CNAME for its address and its
nameserver as seen in Figure 19 - OpenDNS Investigate IP and NS Information for weather.nest.com.

Figure 19 - OpenDNS Investigate IP and NS Information for weather.nest.com

DROPCAM
Dropcam devices have three distinct types of FQDNs. Those related to the API (e.g. nexusapi.dropcam.com), those
related to the video camera communication initiation (e.g. nexus.dropcam.com) and those related to the video
camera streaming platform (e.g. oculus10-vir.dropcam.com).

The nexusapi.dropcam.com FQDN is the primary API for interacting with the Dropcam service. Documentation is
sparse with the exception of the beta API announcement in June 201416. The API can provide information about
Dropcam devices, their configuration, and activity associated with those devices. The API is RESTful and uses
HTTP verbs, with all endpoints and API communication over HTTPS. The requests and responses are delivered in
JSON format.

16 http://blog.dropcam.com/dropcam-api-beta-program/

OpenDNS The 2015 Internet of Things in the Enterprise Report  32

According to an AWS case study, Dropcam uses a Python web framework for Dropcam.com and the API servers
used by iPhone and Android applications. The stack includes a Postgres database running on an Amazon EC2
instance with Amazon Elastic Block Store (Amazon EBS). All services run in multiple Availability Zones in the US
East (Northern Virginia) Region17.

Figure 20 - OpenDNS Investigate DNS Queries for nexusapi.dropcam.com depicts the total amount of traffic
observed across the OpenDNS global infrastructure for the nexusapi.dropcam.com FQDN - with queries following a
clear diurnal pattern and peaking at more than 36,000 queries.

Figure 20 - OpenDNS Investigate DNS Queries for nexusapi.dropcam.com

“The presence of Healthcare, Retail, and

Oil & Gas industry verticals is somewhat
alarming, as each industry is highly
regulated and widely scrutinized for the
protection of privacy-related information.”

17 http://aws.amazon.com/solutions/case-studies/dropcam/

OpenDNS The 2015 Internet of Things in the Enterprise Report  33

A wide field of industry verticals are represented in the DNS queries observed as depicted in Figure 21 - Industry
Verticals Querying for nexusapi.dropcam.com. This leads us to believe that employees likely have the Dropcam
app installed on their mobile devices and that there may be frequent and automated polling of the API to register
status.

Figure 21 - Industry Verticals Querying for nexusapi.dropcam.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  34

During our research, we located detailed analysis of reverse engineering the Dropcam devices. Two blog posts from
Include Security in March18 and April19 2014 form the basis of our taxonomy for evaluating the FQDNs which are
used by Dropcam cameras uses to communicate with the company’s infrastructure.

According to the blog posts, most of the device’s messages (sent using the “Droptalk” protocol), contain protocol
buffers which can be decoded. The nexus.dropcam.com server always replies with a redirect to an “oculus”
server. The client then connects to the “oculus” server and sends another HELLO packet. Most of the configuration
options in the Dropcam web interface correspond to Droptalk messages that are sent to the camera. When the
server is ready to receive data, it sends a START_STREAM message with some video parameters in it. Video data is
sent from the camera in RTP Droptalk messages containing RTP formatted video data20.

Looking at Figure 22 - OpenDNS Investigate nexus.dropcam.com, we notice a more consistent DNS query pattern
that doesn’t follow a typical diurnal pattern. This pattern appears to be more consistent with a steady transfer of
real-time video traffic from deployed cameras to Dropcam’s cloud infrastructure.

Figure 22 - OpenDNS Investigate Information for nexus.dropcam.com

18 http://blog.includesecurity.com/2014/03/Reverse-Engineering-Dropcam-Communications.html
19 http://blog.includesecurity.com/2014/04/reverse-engineering-dropcam-rooting-the-device.html
20 http://blog.includesecurity.com/2014/04/reverse-engineering-dropcam-rooting-the-device.html

OpenDNS The 2015 Internet of Things in the Enterprise Report  35

The industry verticals contacting nexus.dropcam.com are depicted in Figure 23 - Industry Vertical by Origin
Query Country for nexus.dropcam.com. The thickness of the ribbon reflects the number of employees by company
and industry vertical.

Figure 23 - Industry Vertical by Origin Query Country for nexus.dropcam.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  36

If we look at one of the ‘oculus’ FQDNS, likely used to balance video streaming for localized geographic locations,
we can see spikes in queries as depicted in Figure 24 - OpenDNS Investigate DNS Queries for oculus10-vir.
dropcam.com. These spikes may be indicative of motion or sound sensors triggering notification and keying off of
events in the video stream.

Figure 24 - OpenDNS Investigate Information for oculus10-vir.dropcam.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  37

Due to the number of “oculus” hosts, we chose to show the top 30 FQDNs by DNS query count. This is depicted
in Figure 25 - Top 30 FQDNS by Industry Vertical and Company Size. The presence of healthcare, retail, and oil
and gas industry verticals is somewhat alarming, as each industry is highly regulated and widely scrutinized for the
protection of privacy-related and intelletual property information.

Figure 25 - Top 30 FQDNS by Industry Vertical and Company Size

OpenDNS The 2015 Internet of Things in the Enterprise Report  38

Logitech
Logitech Desktop Messenger (LDM) is a software utility designed to keep Logitech product users up-to-date. It will
automatically update and download the latest patches, software updates, and other information pertaining to the
user’s Logitech products—such as a mouse, a keyboard, or other desktop peripherals such as a webcam.

Like other Logitech software, installing LDM is optional, and opting out won’t affect the functionality of the Logitech
peripherals. LDM is typically included with most versions of Logitech’s proprietary hardware and software.

The primary FQDN polled by LDM is updates.logitech.com. DNS queries for the FQDN can be seen in
Figure 26 - OpenDNS Investigate DNS Queries for updates.logitech.com.

Figure 26 - OpenDNS Investigate DNS Queries for updates.logitech.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  39

Based on the CNAME used by updates.logitech.com, and depicted in Figure 27 - OpenDNS Investigate IP
information for updates.logitech.com, we easily can see that Logitech uses the managed hosting solutions
and application services provider NaviSite. According to its company website, NaviSite—a Time Warner Cable
Company—is a leading worldwide provider of enterprise-class, cloud-enabled hosting, managed applications, and
services21.

Figure 27 - OpenDNS Investigate IP information for updates.logitech.com

21 http://www.navisite.com/about-navisite

OpenDNS The 2015 Internet of Things in the Enterprise Report  40

Logitech is using both NaviSite and Amazon EC2 domains as its nameservers, as seen in Figure 28 - OpenDNS
Investigate NS information for updates.logitech.com, leading us to believe that Logitech is likely leveraging the
EdgeCast CDN service being resold22 by NaviSite.

Figure 28 - OpenDNS Investigate NS information for updates.logitech.com

22http://www.marketwired.com/press-release/navisite-partners-with-edgecast-networks-deliver-next-generation-cdn-offerings-new-content-nasdaq-
navi-1243926.htm

OpenDNS The 2015 Internet of Things in the Enterprise Report  41

IoT Infrastructure
In this section, we look at the infrastructure used by IoT vendors including their respective hosting providers, ASNs,
and hosting geographic location.

IoT Hosting Providers

During our analysis we observed 46 unique IoT hosting providers. The top 5 hosting providers utilized by IoT
vendors can be seen in Table 9 - Top 5 IoT Hosting Providers by Total Query Count.

Table 9 - Top 5 IoT Hosting Providers by Total Query Count

HOSTING PROVIDER TOTAL QUERY COUNT

Amazon 23,181

SoftLayer Technologies 15,992

Verizon Business 11,127

Fastly 5,208

E.I. du Pont de Nemours and Co. 1,634

A graphical depiction of the top 10 hosting providers for IoT vendors is depicted in Figure 29 - Top 10 IoT
Infrastructure Hosting Providers by Total Query Count.

Figure 29 - Top 10 IoT Infrastructure Hosting Providers by Total Query Count

OpenDNS The 2015 Internet of Things in the Enterprise Report  42

Unsurprisingly, Amazon Web Services (AWS) has the highest count of DNS queries for IoT-related products. Two
interesting data points arose from the analysis. The first being that CDN company Fastly received 5,208 queries
for IoT vendors like Fitbit and Withings. This query volume shows that IoT vendors are taking the time to architect
resiliency into their respective service platforms ahead of major service disruptions.

The second finding was that E.I. du Pont de Nemours and Co., more commonly known as DuPont, was the target
of 1,634 queries. The majority of these queries were related to Samsung mobile platforms, but we also observed
queries from Dropcam and IoT platform provider Thingworx.

Autonomous Systems
Autonomous system (AS) is a collection of connected Internet protocol (IP) routing prefixes under the control of
one or more network operators on behalf of a single administrative entity that presents a common, clearly defined
routing policy to the Internet. A unique autonomous system number (ASN) is allocated to each AS for use in BGP
routing. AS numbers are important because the ASN uniquely identifies each network on the Internet23.

Looking at our data, the top five autonomous systems hosting IoT infrastructure sites are AS36351 (Softlayer
Technologies, Inc.), AS16509 (Amazon.com, Inc.), AS702 (Verizon Business/UUnet Europe), AS14618 (Amazon.
com, Inc.), and AS54113 (Fastly). The total query count by AS is shown in Table 10 - Top 5 IoT Infrastructure
Autonomous Systems by Total Query Count.

Table 10 - Top 5 IoT Infrastructure Autonomous Systems by Total Query Count

AUTONOMOUS SYSTEMS TOTAL QUERY COUNT

AS36351 15,992

AS16509 11,361

AS702 11,121

AS14618 10,607

AS54113 2,513

23 Source: http://en.wikipedia.org/wiki/Autonomous_system_(Internet)

OpenDNS The 2015 Internet of Things in the Enterprise Report  43

The top 10 IoT infrastructure hosting providers are depicted in Figure 30 - Top 10 ASNs by Query Count.

Figure 30 - Top 10 ASNs by Query Count

OpenDNS The 2015 Internet of Things in the Enterprise Report  44

Geographic Location of IoT Hosting Infrastructure
There were 66 distinct countries observed hosting IoT infrastructure. The majority of IoT infrastructure (83.99%)
was hosted in the United States, with 56,957 total queries over the observede three-month period. The top 15
countries by query count are shown in Figure 31: Top 25 IoT Country Hosting Infrastructure by Total Query
Count.

Figure 31 - Top 15 IoT Country Hosting Infrastructure by Total Query Count

The least active IoT infrastructure hosting country observed was Egypt, with only 1 query (0.0015% of total query
count), followed by Iceland and Thailand with only 2 queries (0.003%) for each country. This isn’t surprising given
the cost of IoT devices, their relatively new availability in global markets, and the absence of inexpensive hosting
infrastructures in the aforementioned countries.

OpenDNS The 2015 Internet of Things in the Enterprise Report  45

Internet Neighborhood Quality
OpenDNS Security Labs identified a number of the ASNs used by IoT infrastructure as also hosting malicious
domains as detailed in Figure 32 - Count of Malicious Domains by ASN. These domains are detailed in Figure
33 - Count of Malicious Domains on ASNs Hosting IoT Infrastructure and, at the time of this writing, are being
blocked to protect the global OpenDNS customer base.

Figure 32 - Count of Malicious Domains by ASN

15,591
The total number of malicious
domains observed sharing
infrastructure with legitimate IoT
product vendor’s infrastructure.

Figure 33 - Count of Malicious Domains on ASNs Hosting IoT Infrastructure

OpenDNS The 2015 Internet of Things in the Enterprise Report  46

The top five ASNs hosting malicious domains are AS22773, AS20940, AS20115, AS701, and AS3356. It should
be noted that AS20940 is owned and operated by cloud services provider Akamai Technologies. The 1,835 queries
observed during our testing likely reflects the use of Akamai’s content delivery network by IoT vendors to ensure
fast delivery of content to and from the IoT vendor’s respective infrastructure. Further details about the top five
autonomous systems can be seen in Table 11 - Top 5 ASNs by Count of Blocked Malicious Domains.

Table 11 - Top 10 ASNs by Count of Blocked Malicious Domains

ASN OWNER COUNT USED BY

22773 Cox Communications, Inc. 2,899 Western Digital

20940 Akamai International, B.V. 1,835 Leapfrog

20115 Charter Communications, Ltd. 1,801 Western Digital

701 Verizon Business/UUnet 1,384 Leapfrog, Western Digital

3356 Level 3 Communications, Inc. 1,151 Logitech

Organizations need heightened awareness around IoT vendors’ choice of network neighborhoods, and how sullied
those neighborhoods are. It’s far easier for an upstream ISP, or even one of your own firewall administrators, to block
access to an IP address or subnet than to explicitly block a list of malicious domains. If not carefully scrutinized,
your ISP or firewall administrator could prevent your IoT device from communicating with its cloud or hosted service.

Similarly, IoT vendors should understand the quality of Internet neighborhood before “moving in” with their platform.
They may unwittingly find themselves guilty by association with malicious neighbors and therefore blocked.

Discovered Open Ports and Vulnerabilities

Using SHODAN we were able to identify the ports each IoT vendor left accessible on their respective
infrastructures. The same tool also surfaced sites that contained high-profile vulnerabilities in the form of services
susceptible to known Common Vulnerabilities and Exposures (CVE) entries. Only two vulnerabilities appeared
during our research: CVE-2014-0160 and CVE-2015-0204..

CVE-2014-0160 - HEARTBLEED
Only one FQDN was found to be susceptible to the attack vector detailed in CVE-2014-0160. The vulnerability,
more commonly known as Heartbleed, is a security bug in the OpenSSL cryptographic library that was disclosed on
April 7, 2014. A patch was also made available the same day.

The data obtained by a Heartbleed attack may include unencrypted exchanges between TLS parties, which is likely
to be confidential, including any form post data in users’ requests. Moreover, the confidential data exposed could
include authentication secrets such as session cookies and passwords, which might allow attackers to impersonate
a user of the service.

OpenDNS The 2015 Internet of Things in the Enterprise Report  47

An attack may also reveal private keys of compromised parties, which would enable attackers to decrypt
communications (future or past stored traffic captured via passive eavesdropping, unless perfect forward secrecy is
used, in which case only future traffic can be decrypted if intercepted via man-in-the-middle attacks).

An attacker having gained authentication information may impersonate the owner after the victim has patched
Heartbleed, as long as the material is accepted (for example, until the password is changed or the private key
revoked). Heartbleed therefore constitutes a critical threat to confidentiality. However, an attacker impersonating a
victim may also alter data. Indirectly, Heartbleed’s consequences may thus go far beyond a confidentiality breach
for many systems24.

The vulnerable FQDN - sandbox.api.mnubo.com - belongs to an IoT big data and analytics vendor in Canada
named mnubo, Inc.

Though SHODAN provided us with the initial results, we verified the finding using Filippo Valsorda’s (@FiloSottile)
Heartbleed testing tool (https://filippo.io/Heartbleed/) on April 30, 2015 at 3:31 PM PDT.

Figure 34 - Heartbleed Scan Results for sandbox.api.mnubo.com on April 30, 2015 at 3:31 PM PDT

24 http://en.wikipedia.org/wiki/Heartbleed#Impact

OpenDNS The 2015 Internet of Things in the Enterprise Report  48

A quick nmap scan of the FQDN shows that FTP (21/tcp), RTSP (554/tcp), and 7070/tcp–which is likely not a
RealServer service as the scan indicates, but rather an easily remembered port. The results of the scan are shown
in Figure 35 - Scan Results for sandbox.api.mnubo.com.

Figure 35 - Scan Results for sandbox.api.mnubo.com

$ sudo nmap -Pn sandbox.api.mnubo.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-02 13:40 PDT

Nmap scan report for sandbox.api.mnubo.com (206.125.167.42)
Host is up (0.0040s latency).
rDNS record for 206.125.167.42: mtl.mnubo.com
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
554/tcp open rtsp
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds

Our research shows that only one customer queried the mnubo sandbox API. That customer, a K-12 institution in
Canada with less than 100 employees, is likely testing the vendor’s offerings given that a ‘sandbox’ API is what is
being queried.

Upon reaching out to mnubo ahead of publishing our report report the company has taken steps to patch the
server. Results of the same Heartbleed testing tool used before now show the server as patched as depicted in
Figure 36 - Heartbleed Scan Results for sandbox.api.mnubo.com as of Tuesday, May 19, 2015. The company
also thanked us for bringing the matter to their attention.

Figure 36 - Heartbleed Scan Results for sandbox.api.mnubo.com as of Tuesday, May 19, 2015

OpenDNS The 2015 Internet of Things in the Enterprise Report  49

CVE-2015-0204 - FREAK
Another finding was that 184 unique FQDNs were found to be susceptible to CVE-2015-0204--more commonly
referred to as the the FREAK attack.

The FREAK attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. Further
disclosure was coordinated by Johns Hopkins cryptography professor Matthew Green. The vulnerability is
associated with OpenSSL clients and Apple TLS/SSL clients that allow a “man-in-the-middle” attacker to
downgrade connections from “strong” RSA to “export-grade” RSA. These attacks are real and exploitable against a
shocking number of websites–including government websites25.

Servers that accept RSA_EXPORT cipher suites put their users at risk to the FREAK attack26. It is recommended
that system owners immediately disable support for TLS export cipher suites—and other cipher suites that are
known to be insecure—and enable forward secrecy.

Table 12 - FREAK Attack Vulnerable FQDNs by Industry shows the count of industry verticals observed querying
FREAK-vulnerable IoT FQDNs.

Table 12 - FREAK Attack Vulnerable FQDNs by Industry

CVE-2015-0204 CVE-2015-0204
INDUSTRY VERTICALS VULNERABLE INDUSTRY VERTICALS VULNERABLE

Accounting/HR/Admin 17 Libraries 1

Biotechnology 2 Logistics / Transportation 1

Computer Software 20 Managed Service Providers 2

Construction/Architecture 2 Manufacturing 1

Education: College 4 Media 27

Education: K-12 47 Not For Profit 35

Energy 42 Retail 18

Financial Services 9 Technology 1

Food & Beverage 14 Telecommunications/ISP's 1

Government 2 Transportation/Shipping/Logistics 2

Healthcare 23 Utilities 24

Hospitality 1

25 http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
26 https://freakattack.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  50

An alarming number of energy (42), media (27), utilities (24), and healthcare (23) organizations in addition to
education (51) and not-for-profit (35) institutions were observed querying these potentially vulnerable systems.

WIDGETS.IOBRIDGE.COM ANALYSIS
ioBridge Web Gateways are input-output (I/O) routers that act as the interface between local devices and ioBridge’s
servers on the Internet (ioBridge cloud servers). The ioBridge web-gateway has an Ethernet connection like a home
computer that plugs into a local network and creates a connection to ioBridge’s cloud servers. The ioBridge Web
Gateways have I/O channels that enable the control and monitoring of digital inputs, analog inputs, serial data,
servos, relays, and digital outputs using web-interfaces provided by ioBridge27.

Widgets are simple function script objects that either control outputs or monitor inputs. Widgets are used on the
user’s dashboard or can be dropped into a website using the embed code28. Queries to widgets.iobridge.com were
observed from a food and beverage company in the United States that operates a large number of restaurants
in airports around North America. Also observed from this particular customer were queries to Fitbit, Samsung
mobile, Logitech, and SmartThings FQDNs. Figure 37 - OpenDNS Investigate DNS Queries for widgets.iobridge.
com depicts the DNS queries for the ioBridge widget FQDN.

Figure 37 - OpenDNS Investigate DNS Queries for widgets.iobridge.com

27 http://connect.iobridge.com/docs
28 http://connect.iobridge.com/docs/widgets/

OpenDNS The 2015 Internet of Things in the Enterprise Report  51

To confirm our findings we analyzed the widgets.iobridge.com FQDN using Qualys© SSL Labs’ online scanner. The
results can be seen in Figure 38 - SSL Scan Results for widgets.iobridge.com.

Figure 38 - SSL Scan Results for widgets.iobridge.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  52

As indicated in the figure, the widgets.iobridge.com system did not fare well, receiving an F from Qualys. Figure 39
- Cipher Suites for widgets.iobridge.com shows more details about the poor score.

Figure 39 - Cipher Suites for widgets.iobridge.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  53

The platform itself leverages a number of known weak and insecure ciphers that could be exploited to eavesdrop
on communications to enumerate the host’s and users’ communication with the platform. The weak and insecure
ciphers could also be exploited on the server side to allow for a remote tunnel back into the organization’s network.

The widgets.iobridge.com server has a number of services running including FTP (21/tcp), HTTP/HTTPS (80/443/
tcp), RTSP (554/tcp), and others as shown in Figure 40 - Scan Results for widgets.iobridge.com. Any of these
could be potentially exploited to gain access to the widgets server.

Figure 40 - Scan Results for widgets.iobridge.com

$ sudo nmap -PO widgets.iobridge.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-02 13:08 PDT

Nmap scan report for widgets.iobridge.com (67.227.144.220)
Host is up (0.089s latency).
rDNS record for 67.227.144.220: host.sstudiocz.net
Not shown: 994 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
554/tcp open rtsp
7070/tcp open realserver
49154/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds

AXEDA.COM ANAYLSIS
Axeda, a PTC Inc., company, provides cloud-based service and software for managing and implementing
connected products. The Axeda IoT Cloud Service includes:

ll Axeda Connect - IoT Connectivity Middleware

ll Axeda Build - IoT Application Enablement Platform
ll Axeda Manage - Connected Machine Management Applications

The axeda.com FQDNs utilize a descriptive company name for their customers’ instances. The format is as follows:

<companyname>.axeda.com

For example, if your company was named Alice & Bob’s Cryptography Warehouse, there is a high likelihood that
your axeda.com hostname might be aliceandbob, abcrypto, abcw, or some other derivitive of the company name.
Though easy to remember, this naming convention does expose Axeda’s customers to profiling.

OpenDNS The 2015 Internet of Things in the Enterprise Report  54

A US-based healthcare organization with more than 6,000 employees was observed querying several vulnerable
axeda.com FQDNs. The first SSL scorecard can be seen in Figure 41 - SSL Scan Results for First axeda.com
FQDN.

Figure 41 - SSL Scan Results for First axeda.com FQDN

OpenDNS The 2015 Internet of Things in the Enterprise Report  55

The first axeda.com FQDN also shows a number of insecure and weak ciphers being used as depicted in Figure
42 - Cipher Suites for First axeda.com FQDN.

Figure 42 - Cipher Suites for First axeda.com FQDN

As shown in Figure X - Scan Results for First axeda.com FQDN, the listening ports on the server are not unlike
those detected in Figure 43 - Scan Results for widgets.iobridge.com.

Figure 43 - Scan Results for First axeda.com FQDN

$ sudo nmap -PO *****.axeda.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-02 13:23 PDT

Nmap scan report for *****.axeda.com (***.***.***.***)
Host is up (0.15s latency).
rDNS record for ***.***.***.***: *****.axeda.com
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
554/tcp open rtsp
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 12.68 seconds

OpenDNS The 2015 Internet of Things in the Enterprise Report  56

This similar service fingerprint could indicate use of the same Linux or BSD-based operating system distribution
across both companies.

The second axeda.com FQDN didn’t fare much better on its scorecard as seen in Figure 44 - SSL Scan Results
for Second axeda.com Domain.

Figure 44 - SSL Scan Results for Second axeda.com Domain

OpenDNS The 2015 Internet of Things in the Enterprise Report  57

The scorecard also points to various insecure and weak ciphers being used as shown in Figure 45 - Cipher Suites
for First axeda.com Domain.

Figure 45 - Cipher Suites for First axeda.com Domain

OpenDNS The 2015 Internet of Things in the Enterprise Report  58

The primary difference between the first and second axeda.com FQDNs tested, however, relate to the greater
number of listening services on the second FQDN, as shown in Figure 46 - Scan Results for Second axeda.com
FQDN. We are currently unsure if the server carries a different purpose than the first device, or if it was simply
overlooked during configuration and hardening.

Figure 46 - Scan Results for Second axeda.com FQDN

$ sudo nmap -PO *****.axeda.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-02 13:34 PDT

Nmap scan report for *****.axeda.com (***.***.***.***)
Host is up (0.12s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp filtered smtp
80/tcp open http
113/tcp filtered ident
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
554/tcp open rtsp
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds

Another interesting data point is not all of the observed axeda.com FQDNs were vulnerable to CVE-2015-0204. In
fact, we observed queries to 24 other unique axeda.com FQDNs that were not vulnerable. Ten of those 24 FQDNs
map directly to customers publicly disclosed via the axeda.com website’s “Customers” section29. Those customers
are Dedicated Computing, Elekta, Gerber Scientific, Hil-Rom, Leica Microsystems, Medrad, SGI, Talaris, and
Waters Corporation.

29 http://www.axeda.com/community/customers/all

OpenDNS The 2015 Internet of Things in the Enterprise Report  59

The full list of non-vulnerable FQDNs queried by customer verticals and the hosted IoT infrastructure can be
viewed in Figure 47 - Vertical by Axeda Queried FQDN by IoT Hosting Infrastructure.

Figure 47 - Vertical by Axeda Queried FQDN by IoT Hosting Infrastructure

OpenDNS The 2015 Internet of Things in the Enterprise Report  60

WD2GO.COM ANALYSIS
Of these 184 FQDNs, the majority (44.6% / 82 total) were associated with Western Digital and its My Cloud™
personal cloud storage device. We verified several of the My Cloud™ personal cloud FQDNs using the Qualys©
SSL Labs scanner and found some alarming results.

My Cloud™ FQDNs follow a distinct format that includes the customer-chosen device name, a device ID with a
series of digits, and a domain of .wd2go.com.

<customer-chosen name>.deviceXXXXXXX.wd2go.com

An example of this domain convention would be:

andrewcloud.device1234567.wd2go.com

Where andrewcloud is the device name and device1234567 is the device identifier.

More information regarding the configuration of your personal cloud storage device can be found at
http://www.wdc.com/wdproducts/library/UM/ENG/4779-705058.pdf.

OpenDNS The 2015 Internet of Things in the Enterprise Report  61

Some examples of observed domains include abucloud.device1808693.wd2go.com, as depicted in Figure 48 -
OpenDNS Investigate Information for abucloud.device1808693.wd2go.com.

Figure 48 - OpenDNS Investigate Information for abucloud.device1808693.wd2go.com

OpenDNS The 2015 Internet of Things in the Enterprise Report  62

The device name can be set to anything as the deviceXXXXXXX portion of the FQDN appears to exist to prevent
collisions and allow for uniqueness. The configuration screen for the Western Digital devices is depicted in Figure
49 - My Book® Live™ Personal Cloud Storage System Settings.

Figure 49 - My Book® Live™ Personal Cloud Storage System Settings

OpenDNS The 2015 Internet of Things in the Enterprise Report  63

Not only are the My Cloud™ FQDNs vulnerable to the FREAK attack, shown in Figure 50 - SSL Scan Results for
Western Digital My Cloud™ Storage FQDNs, but they are also vulnerable to the POODLE attack (CVE-2014-3566).

Figure 50 - SSL Scan Results for Western Digital My Cloud™ Storage FQDNs

OpenDNS The 2015 Internet of Things in the Enterprise Report  64

The scorecard also shows that the device endpoints support a host of known insecure or weak SSL ciphers as seen
in Figure 51 - Cipher Suites for Western Digital My Cloud™ Storage FQDNs.

Figure 51 - Cipher Suites for Western Digital My Cloud™ Storage FQDNs

OpenDNS The 2015 Internet of Things in the Enterprise Report  65

Our data shows that not all wd2go.com domains are vulnerable, however. Of the 70 unique MyCloud storage
endpoints, only 30 were found to be vulnerable to CVE-2015-0204. To visualize the data, Figure 52 - MyCloud
Storage Endpoints by Company Size and Figure 53 - MyCloud Storage Endpoints by Query Count shows the
industries querying these endpoints ordered by both company size and also by query count. The vulnerable and
non-vulnerable queries are also illustrated as the midpoint of the alluvial diagram.

Figure 52 - MyCloud Storage Endpoints by Company Size

OpenDNS The 2015 Internet of Things in the Enterprise Report  66

 Figure 53 - MyCloud Storage Endpoints by Query Count

OpenDNS The 2015 Internet of Things in the Enterprise Report  67

Another interesting observation related to Western Digital devices was the frequent queries to ‘orion relay’ domains.
These relay domains are used to enhance the user experience by tunnelling and load balancing file storage traffic
through Western Digital’s cloud platform. The relay FQDNs follow a more complex format than some of the other
FQDNs we observed:

orionrelay[a,{0,1}][region{0,1}][n{1,3}].wd2go.com

Where the orionrelay is the primary hostname that may or may not contain the letter ‘a’ and, if located in a region
outside of the United States, appends the two-letter region code (e.g. ‘eu’) to the hostname. The host also contains
a number identifier between one and three.

Some examples include orionrelay2.wd2go.com, orionrelay100.wd2go.com, and orionrelayaeu1.wd2go.com.

Details about the example cloud endpoints can be seen in Figure 54 - OpenDNS Investigate and Open Port
Information for orionrelay2.wd2go.com and Figure 55 - OpenDNS Investigate and Open Port Information for
orionrelayaeu77.wd2go.com.

Figure 54 - OpenDNS Investigate and Open Port Information for orionrelay2.wd2go.com

$ sudo nmap -Pn orionrelay2.wd2go.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-11 13:22 PDT

Nmap scan report for orionrelay2.wd2go.com (198.107.148.112)
Host is up (0.0028s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
554/tcp open rtsp
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds

OpenDNS The 2015 Internet of Things in the Enterprise Report  68

 Figure 55 - OpenDNS Investigate and Open Port Information for orionrelayaeu77.wd2go.com

$ sudo nmap -Pn orionrelay100.wd2go.com

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-11 13:24 PDT

Nmap scan report for orionrelayaeu77.wd2go.com (54.77.142.222)
Host is up (0.15s latency).
rDNS record for 54.77.142.222: ec2-54-77-142-222.eu-west-1.compute.amazonaws.com
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
554/tcp open rtsp
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds

OpenDNS The 2015 Internet of Things in the Enterprise Report  69

IT Professional and Consumer Survey Results
In addition to data sourced from the OpenDNS network, this report’s scope of research also includes supplemental
statistical conclusions resulting from surveys of IT professionals and consumers–both men and women–located in
the United States.

Conducted during March and April 2015, OpenDNS surveyed more than 500 IT and security professionals and
500 consumers to measure their current sentiments and behaviors regarding IoT device usage in the workplace30.

According to the primary findings, there is a disconnect between employee awareness of existing IoT policies
and IT enforcement. While nearly 75% of the IT professionals surveyed said they currently have a defined policy
for employee-owned IoT and Internet connected devices in place, approximately 65% of the consumers surveyed
said they were not aware of an IoT policy or that they believed their companies did not have a policy in place.

Additional findings indicate:

ll Further confirmation that IoT device deployment is on the rise. More than 60% of IT professionals surveyed
said their companies have future plans to deploy IoT devices. Of those who plan to deploy IoT devices:
–– 43% will deploy security and monitoring devices
–– 66% expect employee owned IoT devices to move onto their networks including personal electronics and
consumer IT devices.

ll Mitigating controls most IT professionals have in place today, aren’t necessarily going to protect their
companies from the IoT vulnerability risks described later in this report.
–– 23% of the IT professionals surveyed admitted to having no mitigating controls in place preventing someone
from connecting unauthorized devices to their company networks.
–– Approximately 54% relied on network security.
–– 43% used credentialed access only.
–– Another 35% have a separate WiFi network for unapproved or guest devices.

ll IT professionals do recognize there are potential risks with IoT. Approximately 70% said they are concerned
about vulnerabilities from IoT devices in the workplace.

ll However, the majority of IT professionals believe they can manage those risks. 77% feel they are prepared to
handle security issues arising from IoT devices in the workplace.

30 Survey conducted using SurveyMonkey Audience. For more details, please visit: www.surveymonkey.com/mp/audience

OpenDNS The 2015 Internet of Things in the Enterprise Report  70

Implications

IoT Devices Are Everywhere

Much like smartphones and tablets before them, consumer-oriented IoT devices are moving into a corporate
setting. OpenDNS Security Labs has previously highlighted that this move is especially prominent after a major gift-
giving holiday such as Christmas .

Early adopters sanctioning IoT use are likely considered fringe cases at this time. Underprepared companies will
find they are unable to prevent the tech-savvy employee from bringing their latest toy into the office and connecting
it to the network.

Throughout this report, we have outlined numerous FQDNs used by IoT devices. The presence of these FQDNS in
an organization’s firewall, intrusion detection/prevention systems, proxies, and DNS logs is an excellent indicator
that IoT devices are active on a company’s infrastructure.

Three Risks to the Enterprise

Our analysis of traffic patterns and FQDN neighborhoods related to IoT use, combined with the noted awareness
and preparedness on behalf of IT organizations can be condensed into three major risks for enterprises:

A New Attack Vector: Whether or not enterprises and users are aware, IoT devices brought into a company’s
network are connecting to the Internet, creating new avenues for remote exploitation. Lack of insight into where
these devices connect to and send traffic means that they present a potential blind spot in an enterprise’s security
efforts. Because IoT devices innately bring such insecurity into a network, they should be managed like standard
enterprise IT equipment. Instead the mentality is often to think of these devices as mostly harmless toys or
gadgets. .

The Company Your Network Keeps: In their current state, even sanctioned IoT devices live mostly outside
the control of IT, because they rely on cloud and hosted network infrastructure. Without insight or controlling
measures for these devices, traffic could be–and currently is for some devices–going to network locations known
to be untrustworthy. Untrustworthy hosting or cloud subnets could result in network blocks that cripple IoT device
abilities. Some IoT devices use infrastructures that are unpatched for known vulnerabilities, which may result in
compromised user credentials, personal information, or classified company data.

Toys in the Attic: Users seem to often think of IoT devices as toys or personal gadgets. This mentality, considering
their prevalence in enterprise networks, is an irresponsible approach to managing these devices. The networks
on which they live is the same environment that enterprises run servers, firewalls, and other IT equipment, which
makes IoT just as important in terms of security. Managing IoT devices with a casual attitude could leave them
unmonitored and unpatched, which is not an approach befitting enterprise technology.

OpenDNS The 2015 Internet of Things in the Enterprise Report  71

Dealing with IoT Device Deluge
The probability for IoT devices to obtain an enterprise scale is quickly approaching. But don’t expect it to start with
inexpensive gadgets and other consumer-targeted devices. High-end machinery with monitoring and management
capabilities, like devices found in oil and gas industries, healthcare, and manufacturing verticals, will inevitably be
first in line to experience (and embrace) massive IoT rollouts because of the advantages these devices offer.

Unfortunately it may only be after IoT devices prove their value that they will be scrutinized like the devices they
are–computers connected to the enterprise network, accessing enterprise data, and interoperating with enterprise
systems.

In the interim, organizations should take the time to sanction, or at least confirm, the presence of new IoT devices
operating within their infrastructure. This requires hands-on testing to validate all communications models and
documentation for filtering via perimeter devices, host-based firewalls, proxies, and DNS. This exercise should
be treated no differently than the adoption of any new piece of networking equipment or enterprise software
application.

In assembling a plan to protect their networks that have IoT device activity, organizations also will quickly discover
that much of the vendor documentation is lacking critical information. In fact, most IoT documentation simply
states that outbound HTTP and HTTPS (80/TCP and 443/TCP) should be allowed for the device to function
properly. Documentation like this is a key indicator that the device was not designed for use within an enterprise,
and was intended instead for home or personal use. We suspect that the IoT manufacturers provide simplified
documentation aiming for a straightforward installation and configuration process, but this is unhelpful to an
enterprise.

Almost every organization in the world employs some type of host, network, and cloud-based security controls. In
fact, security spending is on the rise based on reports from several industry analyst firms. It’s probably safe to say
that any host, network, or security technology installed within the last 10 years has the ability to alert on certain
criteria–whether it’s based on a change in network traffic volume, the detection of newly installed software on an
endpoint, or queries to new and never before queried domain names. These alerts should be closely monitored for
the presence of new IoT devices, access to new platforms, and changes in traffic patterns.

OpenDNS The 2015 Internet of Things in the Enterprise Report  72

OpenDNS Security Labs recommends that organizations pressure IoT device manufacturers and platform vendors
and demand detailed, hosted asset classification. To properly assess the risk introduced by adding a new device to
the network, the organization must fully understand the following:

ll Who is responsible for the storage, resilience, and protection of data

ll What data is being sent, stored, and how long is it retained

ll What traffic patterns look like for IoT devices and platforms

ll How frequently updates are released

ll How customers are notified of updates

ll How updates are applied

ll How, and to where, the device communicates

ll Why it communicates regularly

ll What the SLAs are with regards to the storage of data and continuity of service

ll What the lifecycle of the IoT device or platform looks like

We hope you have received value from our in-depth research into the world of IoT. We’ve only scratched the
surface of IoT’s foray into the enterprise space, and we will continue to expand the scope of our research over the
coming weeks, months, and years. OpenDNS Security Labs will also post timely and interesting analysis of IoT
devices and platforms on our research blog located at https://labs.opendns.com/blog. The first blog post in this
new series will be a more detailed look at our Samsung Smart TV findings.

Any questions about the data or methodology used in this research should be addressed to Andrew Hay, Director
of Security Research, OpenDNS, [email protected].

OpenDNS The 2015 Internet of Things in the Enterprise Report  73

Appendix A: Index of Assessed Companies
COMPANY NAME DOMAIN(S) TESTED IOT CATEGORIES IOT TYPE
Honeywell Security Alarmnet alarmnet.com Security & Monitoring Alarm System
Fitbit android-client.fitbit.com Personal Electronics Fitness
api.fitbit.com
client.fitbit.com
fitbit.com
iphone-api.fitbit.com
iphone-client.fitbit.com
iphone-softclient.fitbit.com
Nike api.runkeeper.com Personal Electronics Fitness
nikeplus.com
Xively (f.k.a. Cosm and Pachube), a api.xively.com Platform IoT Management Platform
division of LogMeIn Inc. xively.com
Arrayent arrayent.com Platform IoT Management Platform
api2.arrayent.com
Cloud Your Car cloudyourcar.com Platform IoT Management Platform
app.cloudyourcar.com
Amazon atv-ext.amazon.com Consumer Appliances Entertainment
updates.amazon.com
August august.com Security & Monitoring Physical Locks
PTC axeda.com Platform IoT Management Platform
thingworx.com

Ayla Networks aylanetworks.com Platform IoT Management Platform

Bug Labs buglabs.net Platform IoT Management Platform
dweet.io
Chamberlain chamberlain.com Security & Monitoring Physical Locks
Philips cpp.philips.com Various Various
ecdinterface.philips.com
meethue.com
vm1.cpp.philips.com
Nest Labs, a division of Google devices.nest.com Home/Office Automation, Security & HVAC
frontdoor.nest.com Monitoring
nest.com
production.nest.com
weather.nest.com
Nest Labs, a division of Google dropcam.com Security & Monitoring Audio/Video
Echelon Corporation echelon.com Home/Office Automation Power Management, HVAC
Ecobee ecobee.com Home/Office Automation HVAC
Etherios, Inc., a Division of Digi etherios.com Platform IoT Management Platform
International
Vera Control, Ltd. getvera.com Security & Monitoring Audio/Video
Insteon insteon.com Various Various
ioBridge, Inc. iobridge.com Platform IoT Management Platform

OpenDNS The 2015 Internet of Things in the Enterprise Report  74

Lowe’s irissmarthome.com Various Various
Spectrum Brands, Inc. kwikset.com Security & Monitoring Physical Locks

LeapFrog Enterprises, Inc. leapfrog.com Personal Electronics Toys

LiFi Labs, Inc. lifx.co Home/Office Automation Power Management
Logitech logitech.com Various Various
Lutron Electronics Co., Inc. lutron.com Various Various
Rest Devices, Inc. mimobaby.com Personal Electronics Gadgets
mnubo inc. mnubo.com Platform IoT Management Platform
Emerson Electric Co. mycomfortguard.com Home/Office Automation HVAC
D-Link Corporation mydlink.com Various Various
PEQ mypeq.com Platform IoT Management Platform
Whirlpool mysmartappliances.com Consumer Appliances Large Appliances
Sensi mythermostat.sensicomfort.com Home/Office Automation HVAC
Belkin International, Inc. netcam.belkin.com Security & Monitoring Audio/Video
Ingersoll-Rand, Plc. nexiahome.com Platform IoT Management Platform
OpenRemote Inc. openremote.com Platform IoT Management Platform
Proliphix proliphix.com Various Various
Rachio rach.io Home/Office Automation External Home/Office
Samsung samsungapps.com Consumer Appliances Entertainment
samsungosp.com
tvapps.samsung.com
az43064.vo.msecnd.net
cdn.samsungcloudsolution.com
d1jwpcr0q4pcq0.cloudfront.net
echo.internetat.tv
fkp.samsungcloudsolution.com
infolink.pavv.co.kr
lcprd1.samsungcloudsol.com
lcprd1.samsungcloudsolution.net
lcstg2.samsungcloudsolution.net
ns11.whois.co.kr
otnprd10.samsungcloudsolution.net
otnprd11.samsungcloudsolution.net
prov.samsungcloudsolution.com
time.samsungcloudsolution.com
usecho.internetat.tv
www.samsungotn.net
xpu.samsungelectronics.com
Sine-Wave Technologies, Inc. sine-wave.com Platform IoT Management Platform
SmartThings, Inc. smartthings.com Platform IoT Management Platform
LG Electronics smartthinq.com Platform IoT Management Platform
Western Digital Corporation wd2go.com Personal Electronics Gadgets
Wink, Inc. wink.com Platform IoT Management Platform
Withings withings.com Personal Electronics Various
ZIH Corp zatar.com Platform IoT Platform

OpenDNS The 2015 Internet of Things in the Enterprise Report  75

Appendix B: SHODAN Data Features Utilized
FEATURE DESCRIPTION
ASN Autonomous System(s) where the server is hosted.
Data Includes information about the application server(s), banners, and certificate related information.
Hostnames The FQDN of the host.
IP String The IP address of the host.
ISP The infrastructure provider hosting the Internet accessible site.
Last Update The last time the site was scanned by SHODAN.
Latitude / Longitude The geographic coordinates of the host.
Organization The organization that owns the host.
Operating System The operating system installed on the host.
Ports The ports determined to be accessible on the host.
Vulnerabilities Whether or not the host is determined to be vulnerable to CVE-2014-0160, CVE-2013-1899, CVE-2013-1391, CVE-2015-2080, or
CVE-2015-0204

OpenDNS, Inc. | www.opendns.com | 1.877.811.2367

© Copyright 2015 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any
electronic medium without the written consent of OpenDNS, Inc. Information contained in this document is believed to be accurate and reliable,
however, OpenDNS, Inc. assumes no responsibility for its use. 052915