In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.

Tsunami on the horizon

Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets and basically anywhere connectivity does. In 2020, the average American household had access to 10 devices. If the average US home has 2.6 people, how many IoT devices are connected to a 1,000-employee company?

Fast production times and short life spans make the IoT explosion a worry for security teams. Older devices still in use may no longer receive security updates. And new devices still represent a major risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. This mass vulnerability left over 100 million devices exposed.

Many companies worry about increased cyber risk due to remote and hybrid work structures. However, the massive IoT attack surface should also rank high on the list of concerns.

IoT security threat impact

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices or build botnets. They may even reach corporate assets from a device connected to a home network where remote work occurs.

Consider CVE-2021-28372. This flaw enables threat actors to remotely compromise victim IoT devices. From there, attackers could eavesdrop on live audio, watch real-time video and steal device credentials for deeper network penetration.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also take into account their IoT ecosystem. Some think malware that hijacks or locks down devices can be stopped by rebooting the device. But if you reboot even a simple IoT lightbulb, you might end up exposing your network, as we’ll see later.

Will regulation solve it?

Since both security and privacy issues are at stake, IoT regulation is of acute interest to regulatory bodies. A major international effort is working to establish IoT security standards. As of now, the reigning guidance on this in the U.S. is from NIST, and California has its own laws for manufacturers. The 2020 IoT Cybersecurity Improvement Act regulates the procurement of such devices by the government.

As many devices or device parts come from overseas, regulation becomes even more complex. Bottom line? Regulation alone won’t protect your digital assets.

The problem with the connected light bulb

Even a smart light bulb could be a network vulnerability endpoint. How might this happen? Here’s how it works:

  1. Attackers take over lightbulb function at a distance. They can then change bulb brightness or make it turn on and off. This leads you to think the bulb isn’t working. On the control app, the bulb appears as unreachable.
  2. If the owner reboots the bulb and the app rediscovers it, the attacker can add a compromised bulb to the network.
  3. The compromised bulb can then install malware to enable IP network infiltration and malware propagation.

Folk wisdom about securing IoT, effective or not?

Conventional methods typically suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both capital and lowercase letters, numbers and symbols.
  • Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections coming from malicious network addresses.
  • Keep unpatched devices in a separate network unauthorized users can’t reach. Ideally, you should decommission, destroy or recycle unpatchable devices.

If you were paying attention, a light bulb should have gone on in your head. While some of these tips may be useful, one may cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.

Zero trust best practices for IoT security

The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.

For example, zero trust architecture takes the perimeter to its furthest end, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For businesses adopting a zero trust approach, consider Secure Access Service Edge (SASE) services. SASE establishes cloud-delivered security at the edge, closer to users and devices that access corporate resources. This brings together software-defined networking and network security into a single, cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will seek solutions, like zero trust, to stay secure.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today