IoT Security and the Internet of Forgotten Things

In 2017, the number of connected devices surpassed the world’s human population† That’s a lot of things. However, many of them are not built with safety in mind. It didn’t take long for attackers to exploit Internet of Things (IoT) vulnerabilities.

One case in 2016 saw threat actors fetch Dyn . downa company that managed web traffic for Twitter, Spotify, Netflix, Reddit, Etsy, Github and other major brands. Threat Actors Insert Mirai Malware to use at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive attack on Dyn.

Fast forward to now. How many IoT devices are waiting for a breach? Today, about 12.3 billion devices connect to the Internet worldwide. What about the devices you may have forgotten? Can they still connect to your network? What is the risk? And more importantly, what can you do about it? Let’s find out.

Tsunami on the horizon

Devices exist in businesses, homes, hospitals, government agencies, fleets, and basically anywhere connectivity is present. in 2020, the average US household had access to 10 devices† As the average house in the US has 2.6 peoplehow many IoT devices are connected to a company with 1,000 employees?

Fast production times and short lifespans make the IoT explosion a concern for security teams. Older devices that are still in use may no longer receive security updates. And new devices still pose a significant risk in the form of zero-day exploits and other threats.

Recently, researchers discovered a vulnerability in NanoMQ, a messaging engine and multi-protocol message bus for edge computing. NanoMQ captures real-time data in sensors for smartwatches, cars, fire detectors, patient monitoring and security systems. More than 100 million devices have been exposed as a result of this massive vulnerability.

Many companies are concerned about increased cyber risk as a result of remote and hybrid work structures. However, the massive IoT attack surface should also be high on the list of concerns.

Impact on the threat to IoT security

The first half of 2021 saw 1.5 billion attacks on smart devices, with attackers looking to steal sensitive data, encrypt devices, or build botnets. They can even access corporate assets from a device connected to a remote home network.

Consider CVE-2021-28372† This flaw allows threat actors to remotely compromise victims’ IoT devices. From there, attackers can eavesdrop on live audio, view real-time video, and steal device data for deeper network penetration.

The best ransomware protection for businesses isn’t just about fending off phishing attacks. Security leaders also need to consider their IoT ecosystem. Some think that malware that hijacks or locks devices can be stopped by restarting the device. But restarting even a simple IoT lamp can eventually expose your network, as we’ll see later.

Will regulation fix it?

With both security and privacy issues at stake, IoT regulation is of acute importance to regulatory authorities. A major international effort is underway to Setting IoT security standards† As of now, the prevailing guidelines on this in the US are from NISTand California has its own laws for manufacturers† The 2020 IoT Cybersecurity Improvement Act regulates government procurement of such devices.

Since many devices or device parts come from abroad, the regulations become even more complex. Under the line? Regulation alone will not protect your digital assets.

The problem with the connected light bulb

Even a smart light bulb can endpoint network vulnerability† How can this happen? This is how it works:

  1. Attackers remotely take over the light bulb function. They can then change the brightness of the lamp or turn it on and off. This leads you to think that the lamp is not working. On the control app, the lamp appears as unreachable.
  2. If the owner restarts the lamp and the app rediscovers it, the attacker can add an infected lamp to the network.
  3. The infected lamp can then install malware to allow infiltration of the IP network and spread of malware.

Folk wisdom about securing IoT, effective or not?

conventional methods usually suggested to secure IoT devices include:

  • Install firmware updates as soon as possible. Patches within updates can help prevent zero-day attacks.
  • Always change preinstalled passwords. Use complex passwords with both upper and lower case letters, numbers and symbols.
  • Restart a device as soon as you think it’s acting strange. It can help to remove existing malware. (Beware of this advice!)
  • Keep access to IoT devices restricted by a local virtual private network. This prevents public internet exposure.
  • Use threat data feeds to block network connections originating from malicious network addresses.
  • Keep unpatched devices in a separate network from unauthorized users. Ideally, you should retire, destroy, or recycle non-patchable devices.

If you had paid close attention, a light should have come on in your head. While some of these tips may be helpful, they can do more harm than good. As we shared earlier, restarting a device can even allow malware infections.

Zero Trust best practices for IoT security

The IoT security challenge is part of a larger problem. Easy said, organizational boundaries have become almost non-existent. With so many devices in use and so many people working remotely, we need a new vision.

For example, zero trust architecture pushes the perimeter to its limits, be it a user, device, application or API trying to gain network access. You should be able to deny access as the default position until identity and authenticity can be verified.

For companies that take a zero trust approach, consider: Secure Access Service Edge (SASE) services† SASE delivers cloud security at the edge, closer to users and devices accessing corporate resources. This brings software-defined networks and network security together in one cloud-based service.

With integrated edge computing security, SASE is a zero trust model designed to meet the demands of hybrid workforces and diverse IoT environments. Given today’s rapid device expansion and fluid organizational perimeters, companies will seek solutions, such as zero trust, to stay secure.

Leave a Reply

Your email address will not be published.