Blog

The Ongoing Rise in IoT Attacks: What We’re Seeing in 2023

As more everyday items become connected through the Internet of Things, the cyber risk landscape changes. Threat actors know that consumers and businesses deploy these devices rapidly to reap their benefits, often without much appreciation for the security risks.

An ongoing rise in IoT attacks sees many companies and consumers facing threats from spying to having data stolen. Here’s what’s happening in IoT security and some tips for defending against a rise in IoT attacks.

IoT and Customer Deployments

The latest estimates predict a steep increase in worldwide connected IoT devices from 15 billion in 2023 to almost 30 billion by 2030. Much of this increase will come in the form of customer-focused gadgets like today’s smart locks and voice assistants and future innovations that turn more everyday items into internet-connected data sources.

Companies in multiple industries also benefit from connected devices in many ways, from predictive maintenance in manufacturing to smart office buildings that are more energy-efficient to run and comfortable to work in. The reach of consumer-focused IoT will expand as more homes become “smart.” And, as our CSO predicted last year, IoT attacks on consumer devices will grow.

The rapid proliferation of IoT devices is yet another area in which robust security often lags behind explosive growth. The result then is a cyber risk landscape that’s increasingly perilous for customers (and companies) who increasingly deploy and enjoy these connected devices.

IoT Security Threats in 2023

Unpatched Vulnerabilities

Perhaps the key security threat to consumer IoT is quite a fundamental flaw—these devices often contain unpatched vulnerabilities that hackers can easily find and exploit. Code weaknesses are more likely to arise in less mature areas of technology like IoT, where vendors often rush to release their latest widgets without necessarily adhering to the highest standards of code security.

Another part of the problem is that it’s awkward for people to remediate IoT vulnerabilities. Customers are less likely to track all the IoT devices they use and whether they are up-to-date or not. When an adversary manages to exploit an unpatched vulnerability in a customer IoT device, the consequences can range from DDoS attacks to privacy compromises.

You can recognize the extent of the threat from unpatched IoT vulnerabilities by the volume of news stories emerging regularly about new IoT security flaws:

  • In March 2023, a smart intercom made by Akuvox was revealed to contain zero-day vulnerabilities that enabled remote spying and listening.
  • Hackers started targeting a group of 13 IoT remote code execution vulnerabilities in the second half of 2022, enabling them to install a variant of Mirai malware on affected devices and control them.
  • Buffer overflow flaws in the privacy-preserving TPM 2.0 protocol were discovered in March 2023, potentially putting billions of IoT devices at risk.

Default passwords

Weak passwords have plagued cybersecurity for years. Customers more than businesses are far less likely to change the default passcodes used for their devices. Couple that with the rush to get the latest gadgets to the market and you have a wide attack surface with billions of devices accessible via poor-quality passwords that hackers can easily guess or brute force.

When hackers get access to a connected device, they can install backdoors that enable them to steal data or seize control of the device’s functions. In 2019, over 600,000 GPS trackers shipped with the password 123456. Almost four years later, the default password problem is not going away—an IoT security report from December 2022 found 99% of IoT device passwords analyzed were weak, default passwords.

Critical Infrastructure Attacks

One of the most feared types of cyberattacks is when a threat actor or group of actors seizes control over critical infrastructure. While not a directly consumer-focused attack, critical infrastructure cyberattacks directly affect the lives of potentially millions of people at once. Attacks on critical infrastructure can wreak havoc on a societal scale, from impacting the energy grid to depleting fuel supplies to causing transport safety hazards for commuters.

Formerly, the information technology (IT) and operational technology (OT) systems used by operators of critical infrastructure were completely separated and not in communication. However, the emergence of industrial IoT (IIoT) solutions has altered the risk landscape by converging IT and OT in beneficial ways. One downside though is that a security weakness in industrial IoT devices could provide a path for hackers to jump from the IT side of critical infrastructure environments to the operational technology that controls those environments.

Defending Against the Rise in IoT Attacks

With 2022 seeing an 87% year-over-year increase in IoT malware attacks, it’s clear that threat actors are increasingly setting their sights on this low-hanging fruit area of exploitable cyber weaknesses. So, what can be done to defend against a rise in IoT attacks?

  • NIST recently announced a cryptography standard for lightweight IoT device protection, which will help preserve data privacy and security for data at rest and in motion.
  • Check before buying any IoT device that the vendor takes updates seriously, regularly releases updates to fix bugs and known vulnerabilities, and provides an easy mechanism for installing them (such as having a default update option).
  • While it might not be practical for consumers to choose a unique strong password for every single connected device, a minimum basic security measure is to change the default password to something stronger.
  • More vendors have a responsibility to provide multifactor authentication options for users who want to strengthen the security of their devices.
  • Limit the functions that you switch on in your IoT devices to only those you really need. For example, if your smartwatch has Bluetooth but you don’t use Bluetooth, then turn it off. This practice reduces the potential paths (attack surface) that hackers can go down to access your connected devices.

Detecting and Responding to IoT Threats

IoT attacks will continue to hit both consumers and companies. In managing a more complex IoT ecosystem, businesses must monitor their IoT devices and networks continuously for suspicious activity, such as unexpected traffic or unusual behavior. Being able to detect, respond to and recover from security incidents is imperative.

Have you registered for our next event?