(February 12, 2024) As many as 100 million smart speakers are installed in homes across the U.S., allowing their owners to check the weather, listen to music, shop online, and more with a simple voice command. These and other IoT devices are also finding their way into the workplace. Growing IoT exploits illustrate the need for improved security
An analysis by Ordr found that up to 20 percent of IoT devices operating in enterprise environments were unknown to IT teams. These devices included things like smart speakers, Ring-type security cameras, and connected appliances.
Consumer-grade devices may have a legitimate use in the enterprise. Smart speakers, for example, can help those with administrative duties perform a range of tasks. However, most IoT devices lack robust security controls, creating vulnerabilities that threat actors can exploit to gain access to the enterprise network or conduct a variety of attacks.
The Weaponization of IoT
Distributed denial of service (DDoS) attacks are a growing threat. According to SISA, DDoS attacks leveraging IoT devices spiked by 300 percent in the first half of 2023. Ninety percent of 2023’s complex DDoS attacks were based on IoT botnets. Botnets grow by infiltrating new devices, deploying malware and gaining persistent access.
The weaponization of IoT devices is not a new phenomenon. Billions of devices are compromised each year as malicious actors exploit security gaps to organize botnets, steal data, or mine cryptocurrency.
IoT devices typically have a small form factor and lack processing power. As a result, manufacturers often eliminate encryption and other security controls to reduce power consumption. Studies suggest that up to 98 percent of all IoT traffic is unencrypted. Additionally, manufacturers frequently hardcode devices with a single default password to streamline deployment, creating a heightened risk of unauthorized access.
IoT’s Security Gaps
Other factors contribute to IoT device vulnerabilities. The IoT is a highly distributed architecture comprising many different devices, sensors, processors, hardware interfaces, wireless gateways, and edge servers. This creates a variety of possible attack vectors and makes it difficult to identify and thwart malicious activity. In addition, different devices have different hardware, software, and operating systems that support different security protocols.
Insecure Wi-Fi networks also create risk. Most IoT devices transmit data via Wi-Fi, and malicious actors can exploit Wi-Fi security weaknesses to steal data in transit. They also launch man-in-the-middle attacks to steal credentials, exfiltrate data or install malware.
Poor visibility is another problem. IoT devices are being deployed by multiple departments, business units and teams, so IT teams seldom know how many devices are connected to the corporate network. In a recent ESG study, 75 percent of IT organizations reported a widening visibility gap in their IoT device initiatives.
Gaining Visibility
Organizations obviously can’t secure devices that they don’t know about. However, users will inevitably bring consumer-grade IoT devices to the enterprise network. To improve visibility into the IoT environment, organizations need tools that discover devices and mitigate potential threats.
Here are some additional recommendations for minimizing IoT risk:
- Change the default password on all devices and disable any unneeded features.
- Develop policies for keeping IoT devices and applications up-to-date to protect against emerging security vulnerabilities.
- Use network segmentation and access control policies to isolate IoT devices and prevent threats from moving laterally through the corporate network.
- Secure the wireless network with Wi-Fi 6 access points featuring WPA3 encryption, which can prevent many brute-force attacks.
- Use a next-generation firewall to ensure that IoT devices connect to safe locations, reducing the chance they’ll be remotely exploited.
We recognize that managing and securing ever-expanding IoT environments is a tall order for resource-strapped IT departments. We can deliver the resources you need through our managed security services. Contact us to learn more.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile
