Technology often outpaces the means by which we can protect that technology. The rush to develop exciting new devices, tools, and software platforms leave security measures behind, creating massive opportunities for bad actors. One of the biggest emerging threats right now is that of the Internet of Things (IoT) – devices constantly connected to the Internet to provide an immersive, personalized user experience.
Through the end of last year, there were more than 25 billion devices connected to the Internet, and a rapidly growing number of them are appliances and other everyday devices that don’t have the security measures in place that our computers and smartphones do. To combat that, organizations are spending an increasing amount of their security budget on IoT devices, expecting to reach US$6 billion by 2023.
With a growing number of personal and non-business items connected to the Internet, but without the necessary monitoring and removal tools in place, cybercriminals have found a new threat vector that is difficult to address. While IoT devices represent a significant source of innovation, they also represent an evolving security vulnerability that enterprise organizations need to address.
Threats Present in IoT Devices
There are several ways that bad actors use IoT devices to infiltrate corporate networks and access sensitive information. One of the biggest issues with IoT is that, until recently, information security was not a major consideration in the design and production of these devices. Some of the issues that this represents include:
- Implementation of custom communication protocols that can lead to denial of service attacks within IoT networks.
- Products rushed to market without sufficient testing or information security safeguards, leaving a major vector open to hackers.
- Access controls are not required or may not be necessary to update when the devices are set up.
- Lack of data encryption for at rest or in transit data.
Because of these issues, IoT devices are being loaded up with malware that can do a number of things, including establishing botnets to trigger DDoS attacks, sending fraudulent emails to individuals within the device’s network, changing the configuration settings or privileges of the devices so that they do not operate as intended, launching other malware deeper into the network, conducting other attacks to gain access to the network at large, locking other devices, stealing data as a whole, or installing backdoors into other parts of the network to enable future access to sensitive data.
The result of these changes is that IoT-related attacks have increased dramatically in recent years. The most common attacks come against routers (34%), digital video devices (23%), and the network itself. One of the most famous of these attacks was the Mirai Botnet, which used existing login credentials to infect digital cameras, DVR devices, and other consumer-grade IoT devices and subsequently was able to run DDoS attacks against major websites like Twitter, Reddit, and CNN in 2017. Other IoT attacks prevalent in 2020 included Dark Nexus, Mukashi Hoaxcalls, and LeetHozer. The number of botnet attacks boomed in 2020 and will continue to do so as long as the devices are relatively easy to infiltrate.
Assessing the Risk in an Enterprise Environment
For businesses, in particular, IoT-related threat is very real. Some of the most common threat vectors within IoT devices in the office include:
- Wireless Access Points (WAPs)
- Devices with Webcams and Microphones
- Printers and Scanners
- Smart TVs
- Security Cameras
- Other Smart Devices
And while enterprise security has latitude over which devices are installed and the security measures implemented to control those devices, personal devices pose an even greater potential risk. Risks here include:
- Smart Assistants – Not only are these devices (Alexa, Siri, Google Home) potential entry points for cyberattacks, but they are also often actively recording and can capture sensitive information and data when in use. It’s recommended they not be allowed in the office.
- DVRs – DVRs and other digital video devices are frequently used in conjunction with DDoS and ransomware attacks.
- Wearable Devices – These can include smartwatches, medical devices, and smart glasses, and while they have become increasingly sophisticated in terms of security, it’s important to have a clear policy about which devices are allowed and in what ways they can be used.
- Other Personal Devices – Older devices, in particular, may be constantly connected but lack the ability to patch out security vulnerabilities, so it’s important to replace them as soon as possible. These may include appliances, alarm systems, or other automation-related items.
Generally speaking, these devices don’t hold valuable information, but hackers can utilize them to attack other devices, gain access to your network, or otherwise capture credentials that they can use to access more sensitive information. The use of AI and Deepfakes to access devices is growing increasingly sophisticated as well.
How to Address Ongoing IoT Security Threats and Challenges
By 2025 there will be 21.5 billion connected IoT devices and the global market will be worth USD$1.1 trillion. These devices and their inherent vulnerabilities are not going away, so it’s imperative that you implement procedures and protective measures to reduce the risk to your organization. Below are five major threats from IoT devices and how companies are addressing them.
- Ransomware Attacks – Ransomware attacks have increased dramatically in the last three years, and IoT devices are among the easiest to attack. Sensible cloud-based protection to keep data safe and avoid it being locked by an attacker who has access to a single low-barrier device is crucial.
- Lack of Updates – Many IoT devices, especially consumer-grade lack security and testing before they are released. Manufacturers are improving here, but in the meantime, know what is on your network and how well those devices’ manufacturers update and maintain their systems.
- Identity Fraud – The utilization of AI, deepfakes, and credential theft will mean a growing number of financial crimes related to IoT infiltration. It’s vital that financial companies and those that manage devices for them address issues that might conflict with compliance and operational best practices.
- Counterfeit Devices – Enterprise security teams are working tirelessly to close the perimeter and manage all devices that come into the network. But it only takes one user connecting a smart device to the office WiFi or plugging in a USB stick for the system to be infiltrated. It’s just as important to monitor consumer-grade devices like video cameras, TVs, and DVRs as it is computers and routers.
- Employee Education – This is the big one. The vast majority of cyber attacks start with a human vector – phishing attacks, poor credential management, and general ignorance of the security risks of digital activities.
To address these recurring challenges, it’s important that enterprise security professionals implement a comprehensive plan for all devices that touch their network. This includes:
- Changing passwords regularly, and ensuring all IoT devices have unique passwords that rotate on the same policy as any other network-connected device.
- Avoid Universal Plug & Play features that have been touted by IoT manufacturers as the networks they create are highly susceptible to attack.
- Create additional networks specifically for IoT devices to reduce the risk of hijacking or malware implementation.
- Perform regular updates of all IoT devices, and replace any devices that cannot be updated or for which updates are not regularly released.
The bottom line is that IoT devices are here to stay. They represent a huge leap forward in connectivity, user experience, and accessibility both at home and in the office. But if they are not properly secured, they also represent a huge risk to enterprise networks that are otherwise so carefully secured.
Learn more about what you can do to secure every component of your network. Contact Bedroc today to learn about our comprehensive approach to enterprise security strategy and how we can help you assess, evaluate, and optimize your efforts.