As more everyday items become connected through the Internet of Things, the cyber risk landscape changes. Threat actors know that consumers and businesses deploy these devices rapidly to reap their benefits, often without much appreciation for the security risks.
An ongoing rise in IoT attacks sees many companies and consumers facing threats from spying to having data stolen. Here’s what’s happening in IoT security and some tips for defending against a rise in IoT attacks.
The latest estimates predict a steep increase in worldwide connected IoT devices from 15 billion in 2023 to almost 30 billion by 2030. Much of this increase will come in the form of customer-focused gadgets like today’s smart locks and voice assistants and future innovations that turn more everyday items into internet-connected data sources.
Companies in multiple industries also benefit from connected devices in many ways, from predictive maintenance in manufacturing to smart office buildings that are more energy-efficient to run and comfortable to work in. The reach of consumer-focused IoT will expand as more homes become “smart.” And, as our CSO predicted last year, IoT attacks on consumer devices will grow.
The rapid proliferation of IoT devices is yet another area in which robust security often lags behind explosive growth. The result then is a cyber risk landscape that’s increasingly perilous for customers (and companies) who increasingly deploy and enjoy these connected devices.
Perhaps the key security threat to consumer IoT is quite a fundamental flaw—these devices often contain unpatched vulnerabilities that hackers can easily find and exploit. Code weaknesses are more likely to arise in less mature areas of technology like IoT, where vendors often rush to release their latest widgets without necessarily adhering to the highest standards of code security.
Another part of the problem is that it’s awkward for people to remediate IoT vulnerabilities. Customers are less likely to track all the IoT devices they use and whether they are up-to-date or not. When an adversary manages to exploit an unpatched vulnerability in a customer IoT device, the consequences can range from DDoS attacks to privacy compromises.
You can recognize the extent of the threat from unpatched IoT vulnerabilities by the volume of news stories emerging regularly about new IoT security flaws:
Weak passwords have plagued cybersecurity for years. Customers more than businesses are far less likely to change the default passcodes used for their devices. Couple that with the rush to get the latest gadgets to the market and you have a wide attack surface with billions of devices accessible via poor-quality passwords that hackers can easily guess or brute force.
When hackers get access to a connected device, they can install backdoors that enable them to steal data or seize control of the device’s functions. In 2019, over 600,000 GPS trackers shipped with the password 123456. Almost four years later, the default password problem is not going away—an IoT security report from December 2022 found 99% of IoT device passwords analyzed were weak, default passwords.
Critical Infrastructure Attacks
One of the most feared types of cyberattacks is when a threat actor or group of actors seizes control over critical infrastructure. While not a directly consumer-focused attack, critical infrastructure cyberattacks directly affect the lives of potentially millions of people at once. Attacks on critical infrastructure can wreak havoc on a societal scale, from impacting the energy grid to depleting fuel supplies to causing transport safety hazards for commuters.
Formerly, the information technology (IT) and operational technology (OT) systems used by operators of critical infrastructure were completely separated and not in communication. However, the emergence of industrial IoT (IIoT) solutions has altered the risk landscape by converging IT and OT in beneficial ways. One downside though is that a security weakness in industrial IoT devices could provide a path for hackers to jump from the IT side of critical infrastructure environments to the operational technology that controls those environments.
With 2022 seeing an 87% year-over-year increase in IoT malware attacks, it’s clear that threat actors are increasingly setting their sights on this low-hanging fruit area of exploitable cyber weaknesses. So, what can be done to defend against a rise in IoT attacks?
Detecting and Responding to IoT Threats
IoT attacks will continue to hit both consumers and companies. In managing a more complex IoT ecosystem, businesses must monitor their IoT devices and networks continuously for suspicious activity, such as unexpected traffic or unusual behavior. Being able to detect, respond to and recover from security incidents is imperative.