In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.

Tsunami on the Horizon

Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets and basically anywhere connectivity does. In 2020, the average American household had access to 10 devices. If the average US home has 2.6 people, how many IoT devices are connected to a 1,000-employee company?

Fast production times and short life spans make the IoT explosion a worry for security teams. Older devices still in use may no longer receive security updates. And new devices still represent a major risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. This mass vulnerability left over 100 million devices exposed.

Many companies worry about increased cyber risk due to remote and hybrid work structures. However, the massive IoT attack surface should also rank high on the list of concerns.

IoT Security Threat Impact

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices or build botnets. They may even reach corporate assets from a device connected to a home network where remote work occurs.

Consider CVE-2021-28372. This flaw enables threat actors to remotely compromise victim IoT devices. From there, attackers could eavesdrop on live audio, watch real-time video and steal device credentials for deeper network penetration.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also take into account their IoT ecosystem. Some think malware that hijacks or locks down devices can be stopped by rebooting the device. But if you reboot even a simple IoT lightbulb, you might end up exposing your network, as we’ll see later.

Will Regulation Solve It?

Since both security and privacy issues are at stake, IoT regulation is of acute interest to regulatory bodies. A major international effort is working to establish IoT security standards. As of now, the reigning guidance on this in the U.S. is from NIST, and California has its own laws for manufacturers. The 2020 IoT Cybersecurity Improvement Act regulates the procurement of such devices by the government.

As many devices or device parts come from overseas, regulation becomes even more complex. Bottom line? Regulation alone won’t protect your digital assets.

The Problem With the Connected Light Bulb

Even a smart light bulb could be a network vulnerability endpoint. How might this happen? Here’s how it works:

  1. Attackers take over lightbulb function at a distance. They can then change bulb brightness or make it turn on and off. This leads you to think the bulb isn’t working. On the control app, the bulb appears as unreachable.
  2. If the owner reboots the bulb and the app rediscovers it, the attacker can add a compromised bulb to the network.
  3. The compromised bulb can then install malware to enable IP network infiltration and malware propagation.

Folk Wisdom About Securing IoT, Effective or Not?

Conventional methods typically suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both capital and lowercase letters, numbers and symbols.
  • Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections coming from malicious network addresses.
  • Keep unpatched devices in a separate network unauthorized users can’t reach. Ideally, you should decommission, destroy or recycle unpatchable devices.

If you were paying attention, a light bulb should have gone on in your head. While some of these tips may be useful, one may cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.

Zero Trust Best Practices for IoT Security

The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.

For example, zero trust architecture takes the perimeter to its furthest end, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For businesses adopting a zero trust approach, consider Secure Access Service Edge (SASE) services. SASE establishes cloud-delivered security at the edge, closer to users and devices that access corporate resources. This brings together software-defined networking and network security into a single, cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will seek solutions, like zero trust, to stay secure.

more from Application Security

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…