Global manufacturers have made internet of things (IoT) devices incredibly easy to install and use. Many devices are designed to be plug-and-play, fully compatible with other machines, and easily managed from common applications. Their obvious benefits to enterprises and consumers, as well as their proliferation and affordability, have made IoT devices quite common. But as the IoT continues to become more integrated into enterprise and home spaces, the threat landscape also expands.
We look at the most significant threats and vulnerabilities in IoT devices on the edge of the network, within the network itself, and on the cloud; as well as gain insights from the cybercriminal underground.
Nowadays, interacting with IoT edge devices is virtually inevitable. Aside from smartphones and laptops, companies equip offices with devices that promote safety and efficiency, from smart lights to security cameras and connected printers. And many of these devices are also making their way into living spaces, from connected refrigerators in kitchens to smart thermostats in bedrooms.
As dependence on these devices grows, securing them must be a bigger priority. The first step is building an awareness of vulnerabilities and possible threats.
Smart home devices are notoriously vulnerable, and past incidents show how hackers readily compromise and abuse them. Vulnerabilities allow attackers to gain unauthorized remote control of affected devices, which can lead to compromised or even damaged devices.
With more complex IoT environments forming, attackers can use vulnerable devices as gateways into a user’s network. Devices integrated into the environment can include smart bulbs, smart locks, speakers, TVs, and many others. This connectivity opens up homes to intrusions, information theft, and spying—either through compromising the server where devices are connected or through devices themselves.
Although some hackers aim to compromise devices to make them part of a botnet for cryptocurrency mining or even denial-of-service attacks, recent news worryingly shows amateur hackers compromising devices for different reasons: Home security cameras were compromised for simple entertainment value, with hackers harassing victims for self-promotion and amusement. Smart thermostats have also been hacked — the victims were harassed for no discernible motive or goal.
Figure 1. Smart home devices create complex IoT environments
Enterprises are already aware of cybersecurity threats that may affect laptops, tablets, or smartphones that employees use. There are usually established security teams in place to protect company endpoints that connect to the enterprise network, as well as the network itself. However, employees are also bringing in their personal IoT devices, which they connect to enterprise networks and use while at work. Enterprises must also contend with risks and threats — from targeted attacks to hacking and data breaches — that arise from the increasing prevalence of miscellaneous consumer-grade IoT devices within enterprise premises.
Attackers have been known to choose and assess an exposed device, then use it to access the system to which it’s connected, to facilitate targeted attacks. Even simple online searches can provide attackers with enough information to find vulnerabilities in a company’s system and cause damage to the target’s network and assets.
Figure 2. Personal IoT devices in BYOD environments present a serious risk
As companies strengthen their cybersecurity, hackers try to locate any vulnerable IoT device to break into enterprise systems. The use of unpatched devices is a common risk — since they lack the latest security updates, hackers can use older (known) vulnerabilities to corrupt such devices and gain privileged access to corporate networks. Ultimately, unpatched devices can then lead to data breaches or exposed information, manipulation of other assets, access to servers and systems, deployment of malware, or even physical disruption of operations.
Attackers can even scan for other vulnerable devices or turn devices into parts of botnets, among others. Botnets are a significant problem — data from the Trend Micro™ Smart Home Network solution from 2018 to 2019 showed a 180% increase in brute force login attempts. These types of attacks are connected to botnets because cybercriminals use this tactic to break into IoT devices using a large number of consecutive password guesses.
Compromising enterprise systems, disrupting operations, stealing information, accessing sensitive data — malicious actors with these goals in mind typically target IoT devices connected to public networks. Given the possible consequences of a successful attack or compromise, it is vital to protect commonly used features and typical devices used in enterprises and homes.
The continuing adoption of IoT devices, which will only be fueled further by the coming 5G era, means that organizations and even ordinary users are now using cloud computing and cloud-based IoT solutions for easier device management and data storage. A look across the threat landscape reveals several potential attack vectors as these solutions are developed and deployed:
A look into the cybercriminal underground forums and sites shows a growing interest in IoT device hacking and many offers of services from compromised IoT devices. These underground platforms even had tutorials on how to exploit vulnerabilities and hack into devices. The available services ranged from access to compromised devices and the use of botnets to DDoS services and private IoT-based VPNs. This was not limited to English forums and discussions but also across Russian, Portuguese, English, Arabic, and Spanish sites as well.
Figure 4. Russian forum user offering VPN services
Figure 5. Posts offering botnets for sale
Figure 6. Access to compromised devices for sale
The number of devices in use, and the extent to which they are integrated into people’s lives, makes IoT attacks viable for hackers and consequential for users. Users will need awareness of specific threats, areas of vulnerability, and effective security solutions to defend against these threats. All IoT devices, from employee-owned machines and company assets to simple home appliances, should be secured.
Our research into the threat landscape of IoT delves deeper into specific threats and their corresponding solutions. Learn more here:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.