IoT security and the forgotten IoT

In 2017, the number of connected devices exceeded the world’s population. This is a lot of things. However, many of them were not built with safety in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities.

One case in 2016 saw actors threaten to bring down Dyn, a company that was managing web traffic on Twitter, Spotify, Netflix, Reddit, Etsy, Github, and other big brands. Threat actors have introduced the Mirai malware to take over at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack against Dyn.

Fast forward to now. How many IoT devices are waiting to be hacked? Today, about 12.3 billion devices are connected to the Internet worldwide. What about devices you may have forgotten about? Can they still connect to your network? What is the danger? And most importantly, what can you do about it? Let’s find out.

Tsunami on the horizon

Devices are found in businesses, homes, hospitals, government agencies, vehicle fleets, and anywhere there is a connection. In 2020, the average American household had access to 10 devices. If the average home in the United States has 2.6 people, how many IoT devices are connected to a company with 1,000 employees?

Fast production times and short lifespan make the explosion of the Internet of Things a concern for security teams. Older devices that are still in use may not receive security updates. And new devices still pose a significant risk in the form of zero-day vulnerabilities and other threats.

Researchers recently discovered a vulnerability in NanoMQ, a multi-protocol messaging engine and messenger for edge computing. NanoMQ captures real-time data in sensors for smart watches, cars, fire detectors, patient monitors, and security systems. This huge vulnerability has left more than 100 million devices exposed.

Many companies fear increased cyber risk due to hybrid and remote business structures. However, the massive IoT attack surface should also rank high on the list of concerns.

The impact of the security threat of the Internet of Things

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, cryptojacks, or build botnets. They may even access company assets from a device connected to a home network where the work is done remotely.

Consider CVE-2021-28372. This flaw enables threat actors to remotely hack the victim’s IoT devices. From there, attackers can eavesdrop on live audio, watch real-time video, and steal device credentials to penetrate deeper into the network.

The best ransomware protection for business isn’t just about thwarting phishing attacks. Security leaders should also consider their IoT system. Some believe that malware infiltrating devices can be stopped or shut down by restarting the device. But if you turn even a simple IoT lamp back on, you could end up exposing your network, as we’ll see later.

Will regulations solve it?

With both security and privacy issues at stake, regulation of the Internet of Things is of great importance to regulators. There is a significant international effort working to set IoT security standards. As of now, the prevailing guidance on this matter in the United States is from NIST, and California has its own laws for manufacturers. The Cybersecurity Improvement Act 2020 for the Internet of Things regulates the government’s purchase of these devices.

Since many devices or hardware parts come from abroad, the regulation becomes more complex. minimum? Regulation alone will not protect your digital assets.

Connected light bulb problem

Even a smart light bulb can be an end point to network vulnerabilities. How could this happen? Here’s how it works:

  1. The attackers take on the task of the lamp remotely. They can then change the brightness of the lamp or turn it on and off. This leads you to believe that the lamp is not working. In the control app, the lamp shows as unreachable.
  2. If the owner restarts the flashlight and the application rediscovers it, the attacker can add a compromised flashlight to the network.
  3. The compromised bulb can then install malware to enable IP network penetration and malware spread.

Folk wisdom about securing the Internet of Things, effective or not?

Typically suggested traditional methods of securing IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change pre-installed passwords. Use complex passwords that contain uppercase and lowercase letters, numbers, and symbols.
  • Reboot the device as soon as you think it is behaving strangely. It may help get rid of existing malware. (Beware this tip!)
  • Keep access to IoT devices restricted to a local VPN. This prevents public exposure to the Internet.
  • Use the threat data feed to block network connections coming from malicious network addresses.
  • Keep unfixed devices in a separate network that unauthorized users cannot access. Ideally, you should turn off devices that are inaccessible, destroy or recycle them.

If you are paying attention, there must be a light bulb in your head. While some of these tips may be helpful, one can do more harm than good. As we previously shared, restarting the device can enable malware infection.

Zero Trust Best Practices for IoT Security

The security challenge of the Internet of Things is part of a larger problem. Simply put, the regulatory oceans are almost non-existent. With so many devices pervasive and so many people working remotely, we need a new vision.

For example, a zero-trust architecture takes the ocean to its extreme, whether it is a user, device, application, or API trying to access the network. You should be able to deny access as the default so that identity and authenticity can be verified.

For businesses that adopt a no-trust approach, consider Secure Access Services (SASE). SASE creates cloud-forward security at the edge, closer to users and devices accessing corporate resources. This combines software defined networking and network security into a single cloud-based service.

With integrated computing security, SASE is a trust-free model designed to meet the demands of a mixed workforce and diverse IoT environments. Given the rapid expansion of devices nowadays and the fluid regulatory environment, companies will look for solutions, such as mistrust, to stay safe.