In 2017, the number of connected devices exceeded the global human population. That’s a lot of stuff. However, many of them were not built with security in mind. It didn’t take long for attackers to exploit vulnerabilities in the Internet of Things (IoT).
One case in 2016 saw threat actors take down Dyna company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github, and other major brands. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack on Dyn.
Fast forward to now. How many IoT devices are waiting for a breach? today about 12.3 billion devices connect to the Internet all over the world. What about devices you might have forgotten about? Can they still connect to your network? What is the risk? Even more important, what can you do about it? Let’s find out.
tsunami on the horizon
Devices exist in businesses, homes, hospitals, government agencies, vehicle fleets, and basically anywhere there is connectivity. In 2020, the average American household had access to 10 devices. If he the average US household has 2.6 peopleHow many IoT devices are connected to a company with 1,000 employees?
Rapid production times and short shelf life make the explosion of IoT a concern for security teams. Older devices that are still in use may no longer receive security updates. And new devices continue to pose a huge risk in the form of zero-day exploits and other threats.
Recently, researchers discovered a vulnerability in NanoMQ, a multiprotocol message bus and messaging engine for edge computing. NanoMQ captures real-time data on sensors for smart watches, automobiles, fire detectors, patient monitoring, and security systems. This massive vulnerability left more than 100 million devices exposed.
Many companies are concerned about increased cyber risk due to remote and hybrid work structures. However, the massive attack surface of IoT should also be high on the list of concerns.
Impact of IoT Security Threats
The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojack devices, or build botnets. They can even reach corporate assets from a device connected to a home network where remote work is done.
To consider CVE-2021-28372. This flaw allows threat actors to remotely compromise victims’ IoT devices. From there, attackers could listen to live audio, view real-time video, and steal device credentials for deeper network penetration.
The best ransomware protection for businesses isn’t just about thwarting phishing attacks. Security leaders must also consider their IoT ecosystem. Some think that malware hijacking or locking devices can be stopped by rebooting the device. But if you reset even a simple IoT lightbulb, you could end up exposing your network, as we’ll see later.
Will regulation solve it?
Since both security and privacy are at stake, IoT regulation is of great interest to regulators. A great international effort is working to set IoT security standards. As of now, the prevailing guidance on this in the US is NISTand California has its own laws for manufacturers. The IoT Cybersecurity Enhancement Act of 2020 regulates government procurement of such devices.
Since many devices or device parts come from abroad, regulation becomes even more complex. Bottom line? Regulation alone will not protect your digital assets.
The problem with the connected bulb
Even a smart light bulb could be a network vulnerability endpoint. How could this happen? Is that how it works:
- Attackers take over the function of the bulb from a distance. They can then change the brightness of the bulb or have it turn on and off. This leads you to think that the bulb is not working. In the control app, the bulb appears as unreachable.
- If the owner resets the light bulb and the app rediscovers it, the attacker can add a compromised light bulb to the network.
- The compromised bulb can install malware to allow IP network infiltration and malware propagation.
Common wisdom on IoT security, effective or not?
conventional methods typically suggested to protect IoT devices include:
- Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
- Always change the preinstalled passwords. Use complex passwords with uppercase and lowercase letters, numbers, and symbols.
- Restart a device as soon as you think it’s acting strange. It could help get rid of existing malware. (Be careful with this tip!)
- Keep access to IoT devices restricted by an on-premises virtual private network. This prevents public exposure to the Internet.
- Use threat data feeds to block network connections from malicious network addresses.
- Keep unpatched devices on a separate network that unauthorized users cannot access. Ideally, you should disable, destroy, or recycle devices that cannot be patched.
If you were paying attention, a light bulb should have gone on in your head. While some of these tips can be helpful, one can cause more harm than good. As we shared earlier, a device reboot can even enable malware infection.
Zero Trust Best Practices for IoT Security
The IoT security challenge is part of a larger problem. Simply put, organizational perimeters have become almost non-existent. With so many devices deployed and so many people working remotely, we need a new vision.
For example, zero trust The architecture pushes the edge to its farthest edge, whether it’s a user, a device, an app, or an API trying to gain access to the network. You should be able to deny access by default until identity and authenticity can be verified.
For companies that take a zero-trust approach, consider Secure Access Service Edge Services (SASE). SASE establishes cloud security at the edge, closer to the users and devices that access corporate resources. This brings software-defined networking and network security together in a single cloud-based service.
With built-in edge computing security, SASE is a zero-trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, businesses will look to solutions, such as zero trust, to stay secure.