The latest security research confirms across the board what we see in our practice and in the news: weak Internet of Things (IoT) security is creating more vulnerabilities and greater risk than ever. And with devices proliferating and hackers targeting them intensively, the trend will only escalate.
The Latest IoT Security Research
For example, a poll by security vendor Forescout showed that 49% of IT decision-makers acknowledge having unknown third-party devices on their networks. That’s not surprising given how fast IoT endpoints are proliferating. 69% of poll respondents say they have over 1,000 smart devices on their networks, while 19% say they have more than 10,000. Meanwhile, Gartner forecasts that over 20 billion IoT devices will be in use globally by 2020.
With so much low-hanging fruit out there, hackers have been quick to capitalize. According to Fortinet’s latest Global Threat Landscape Report, botnets built from compromised IoT devices continue to grow in size and sophistication, while also becoming harder to detect.
The number of IoT exploits per enterprise, the number of unique exploits encountered and botnet infection time all grew significantly in the fourth quarter of 2018. One emerging vector for exploiting unprotected IoT devices is open source malware tools, which hackers are rapidly weaponizing to concoct new malware threats.
A top emerging target is IP-enabled security cameras, many of which ironically lack network security protocols. Hacked cameras can potentially be used for eavesdropping, could be turned off to facilitate a break-in, and of course, can be leveraged for DDoS attacks and spamming via botnets.
Finally, NETSCOUT’s Threat Intelligence Report for the last six months of 2018 stated the time period was characterized by “… the growth of internet-scale campaigns that use a vast array of devices related solely by internet connectivity to strike strategic targets.” IoT devices are generally under attack within five minutes of being hooked up, and “targeted by specific exploits within 24 hours.”
With DDoS attacks now available for hire, the number of global DDoS attacks rose 26% and the maximum DDoS attack size ballooned by 19%—both in just 6 months. This was largely due to cybercriminals’ increasing success in infiltrating IoT devices faster and quickly building midsized DDoS attacks. NETSCOUT reports that DDoS attacks in the 100-200GBps range were up by 169%, and 200-300GBps attacks were up a staggering 2,500%. Top sectors targeted include universities, government, financial services and telecommunications, with special attention being paid to consulates, embassies, and particularly airlines.
How to Improve Your IoT Security
Against such a grim backdrop, what can organizations do to reduce their risk from IoT devices?
A key first step is to ensure that IT is involved in choosing new IoT devices, evaluating the out-of-the-box security risk they present, and assessing whether it is essential to connect them to the internet in the first place. Educating stakeholders about IoT security issues is a natural extension of this approach.
Limit (And Audit) Your Devices
You should also do everything possible to limit how many devices you expose to the internet, and segment your network so that IoT systems are separate from physical services. Further, you need to identify and audit all the IoT devices that are on your network currently, what security they have in place (no default passwords!), and whether any are compromised. In line with that, you need a plan to patch your IoT systems with the latest firmware.
These basic steps may sound more simple in theory than they often are in practice. A big challenge with IoT risk is it is often unknown or underestimated. This is what hackers are counting on.
To talk with an expert about your organization’s IoT attack surface and how best to classify and manage your IoT risk, contact Pivot Point Security.