In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.

Tsunami on the Horizon

Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets and basically anywhere connectivity does. In 2020, the average American household had access to 10 devices. If the average US home has 2.6 people, how many IoT devices are connected to a 1,000-employee company?

Fast production times and short life spans make the IoT explosion a worry for security teams. Older devices still in use may no longer receive security updates. And new devices still represent a major risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. This mass vulnerability left over 100 million devices exposed.

Many companies worry about increased cyber risk due to remote and hybrid work structures. However, the massive IoT attack surface should also rank high on the list of concerns.

IoT Security Threat Impact

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices or build botnets. They may even reach corporate assets from a device connected to a home network where remote work occurs.

Consider CVE-2021-28372. This flaw enables threat actors to remotely compromise victim IoT devices. From there, attackers could eavesdrop on live audio, watch real-time video and steal device credentials for deeper network penetration.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also take into account their IoT ecosystem. Some think malware that hijacks or locks down devices can be stopped by rebooting the device. But if you reboot even a simple IoT lightbulb, you might end up exposing your network, as we’ll see later.

Will Regulation Solve It?

Since both security and privacy issues are at stake, IoT regulation is of acute interest to regulatory bodies. A major international effort is working to establish IoT security standards. As of now, the reigning guidance on this in the U.S. is from NIST, and California has its own laws for manufacturers. The 2020 IoT Cybersecurity Improvement Act regulates the procurement of such devices by the government.

As many devices or device parts come from overseas, regulation becomes even more complex. Bottom line? Regulation alone won’t protect your digital assets.

The Problem With the Connected Light Bulb

Even a smart light bulb could be a network vulnerability endpoint. How might this happen? Here’s how it works:

  1. Attackers take over lightbulb function at a distance. They can then change bulb brightness or make it turn on and off. This leads you to think the bulb isn’t working. On the control app, the bulb appears as unreachable.
  2. If the owner reboots the bulb and the app rediscovers it, the attacker can add a compromised bulb to the network.
  3. The compromised bulb can then install malware to enable IP network infiltration and malware propagation.

Folk Wisdom About Securing IoT, Effective or Not?

Conventional methods typically suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both capital and lowercase letters, numbers and symbols.
  • Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections coming from malicious network addresses.
  • Keep unpatched devices in a separate network unauthorized users can’t reach. Ideally, you should decommission, destroy or recycle unpatchable devices.

If you were paying attention, a light bulb should have gone on in your head. While some of these tips may be useful, one may cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.

Zero Trust Best Practices for IoT Security

The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.

For example, zero trust architecture takes the perimeter to its furthest end, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For businesses adopting a zero trust approach, consider Secure Access Service Edge (SASE) services. SASE establishes cloud-delivered security at the edge, closer to users and devices that access corporate resources. This brings together software-defined networking and network security into a single, cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will seek solutions, like zero trust, to stay secure.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…