In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.

Tsunami on the Horizon

Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets and basically anywhere connectivity does. In 2020, the average American household had access to 10 devices. If the average US home has 2.6 people, how many IoT devices are connected to a 1,000-employee company?

Fast production times and short life spans make the IoT explosion a worry for security teams. Older devices still in use may no longer receive security updates. And new devices still represent a major risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. This mass vulnerability left over 100 million devices exposed.

Many companies worry about increased cyber risk due to remote and hybrid work structures. However, the massive IoT attack surface should also rank high on the list of concerns.

IoT Security Threat Impact

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices or build botnets. They may even reach corporate assets from a device connected to a home network where remote work occurs.

Consider CVE-2021-28372. This flaw enables threat actors to remotely compromise victim IoT devices. From there, attackers could eavesdrop on live audio, watch real-time video and steal device credentials for deeper network penetration.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also take into account their IoT ecosystem. Some think malware that hijacks or locks down devices can be stopped by rebooting the device. But if you reboot even a simple IoT lightbulb, you might end up exposing your network, as we’ll see later.

Will Regulation Solve It?

Since both security and privacy issues are at stake, IoT regulation is of acute interest to regulatory bodies. A major international effort is working to establish IoT security standards. As of now, the reigning guidance on this in the U.S. is from NIST, and California has its own laws for manufacturers. The 2020 IoT Cybersecurity Improvement Act regulates the procurement of such devices by the government.

As many devices or device parts come from overseas, regulation becomes even more complex. Bottom line? Regulation alone won’t protect your digital assets.

The Problem With the Connected Light Bulb

Even a smart light bulb could be a network vulnerability endpoint. How might this happen? Here’s how it works:

  1. Attackers take over lightbulb function at a distance. They can then change bulb brightness or make it turn on and off. This leads you to think the bulb isn’t working. On the control app, the bulb appears as unreachable.
  2. If the owner reboots the bulb and the app rediscovers it, the attacker can add a compromised bulb to the network.
  3. The compromised bulb can then install malware to enable IP network infiltration and malware propagation.

Folk Wisdom About Securing IoT, Effective or Not?

Conventional methods typically suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both capital and lowercase letters, numbers and symbols.
  • Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections coming from malicious network addresses.
  • Keep unpatched devices in a separate network unauthorized users can’t reach. Ideally, you should decommission, destroy or recycle unpatchable devices.

If you were paying attention, a light bulb should have gone on in your head. While some of these tips may be useful, one may cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.

Zero Trust Best Practices for IoT Security

The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.

For example, zero trust architecture takes the perimeter to its furthest end, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For businesses adopting a zero trust approach, consider Secure Access Service Edge (SASE) services. SASE establishes cloud-delivered security at the edge, closer to users and devices that access corporate resources. This brings together software-defined networking and network security into a single, cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will seek solutions, like zero trust, to stay secure.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today