In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors take down Dyn, a company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are out there waiting for a breach? Today, about 12.3 billion devices connect to the internet worldwide. What about the devices you might have forgotten about? Can they still connect to your network? What’s the risk? Even more importantly, what can you do about it? Let’s find out.

Tsunami on the Horizon

Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets and basically anywhere connectivity does. In 2020, the average American household had access to 10 devices. If the average US home has 2.6 people, how many IoT devices are connected to a 1,000-employee company?

Fast production times and short life spans make the IoT explosion a worry for security teams. Older devices still in use may no longer receive security updates. And new devices still represent a major risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. This mass vulnerability left over 100 million devices exposed.

Many companies worry about increased cyber risk due to remote and hybrid work structures. However, the massive IoT attack surface should also rank high on the list of concerns.

IoT Security Threat Impact

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices or build botnets. They may even reach corporate assets from a device connected to a home network where remote work occurs.

Consider CVE-2021-28372. This flaw enables threat actors to remotely compromise victim IoT devices. From there, attackers could eavesdrop on live audio, watch real-time video and steal device credentials for deeper network penetration.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also take into account their IoT ecosystem. Some think malware that hijacks or locks down devices can be stopped by rebooting the device. But if you reboot even a simple IoT lightbulb, you might end up exposing your network, as we’ll see later.

Will Regulation Solve It?

Since both security and privacy issues are at stake, IoT regulation is of acute interest to regulatory bodies. A major international effort is working to establish IoT security standards. As of now, the reigning guidance on this in the U.S. is from NIST, and California has its own laws for manufacturers. The 2020 IoT Cybersecurity Improvement Act regulates the procurement of such devices by the government.

As many devices or device parts come from overseas, regulation becomes even more complex. Bottom line? Regulation alone won’t protect your digital assets.

The Problem With the Connected Light Bulb

Even a smart light bulb could be a network vulnerability endpoint. How might this happen? Here’s how it works:

  1. Attackers take over lightbulb function at a distance. They can then change bulb brightness or make it turn on and off. This leads you to think the bulb isn’t working. On the control app, the bulb appears as unreachable.
  2. If the owner reboots the bulb and the app rediscovers it, the attacker can add a compromised bulb to the network.
  3. The compromised bulb can then install malware to enable IP network infiltration and malware propagation.

Folk Wisdom About Securing IoT, Effective or Not?

Conventional methods typically suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both capital and lowercase letters, numbers and symbols.
  • Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections coming from malicious network addresses.
  • Keep unpatched devices in a separate network unauthorized users can’t reach. Ideally, you should decommission, destroy or recycle unpatchable devices.

If you were paying attention, a light bulb should have gone on in your head. While some of these tips may be useful, one may cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.

Zero Trust Best Practices for IoT Security

The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.

For example, zero trust architecture takes the perimeter to its furthest end, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For businesses adopting a zero trust approach, consider Secure Access Service Edge (SASE) services. SASE establishes cloud-delivered security at the edge, closer to users and devices that access corporate resources. This brings together software-defined networking and network security into a single, cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will seek solutions, like zero trust, to stay secure.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read