Cyberattacks have been an increasing menace to U.S. businesses for the past two decades, but we are now reaching an inflection point where a whole new attack vector will make cyber breaches even more frequent, harder to detect, and difficult to stop—yet most companies are completely unprepared for it.
This shift is occurring because of the rapid growth of the Internet of Things (IoT). According to a recent study by Business Insider Intelligence, there were over 50 billion IoT devices as of 2020. Several other leading analysts have also forecasted that this number is growing by over 20% every year. Based on my company’s own research, we have found that the average company today has three to five IoT devices per employee. These IoT devices range from VoIP phones and connected printers to building automation systems, industrial control systems, security cameras, server racks, smart light bulbs and even the office coffee maker.
The problem with IoT devices is that they are extremely vulnerable and easy to hack. Like computers, they use software and firmware and are connected to the local network. However, unlike computers, they have almost no built-in security controls. To put this in context, most IoT devices today are about as secure as a Windows computer from 1989. These devices are built to run, but not to defend.
As the IoT market continues to grow (estimated to reach over $2.4 trillion annually by 2027), so too will the corporate “attack surface.” Hackers who were once limited to targeting computers and servers (which used to be the primary “smart” devices with internet-facing ports), now have an abundance of these new IoT endpoints to hunt for.
What executives need to realize is that, because of IoT, their company’s attack surface is already significantly larger than it used to be—and it will only continue to grow.
What Makes IoT Devices So Vulnerable?
IoT devices are basically mini computers, but most of the time they’re not made by experienced computer manufacturers. Instead, they’re produced by companies that specialize in simple electronics and usually lack expertise in software development and security.
As a result, most IoT devices are made without a secure software development lifecycle (SSDLC). Rather, they use a patchwork of basic—and oftentimes older—firmware that is taken from multiple third-party sources, and without proper vetting. This firmware is often out-of-date too, so it doesn’t include patches for recent or even older vulnerabilities. After analyzing millions of IoT devices in corporate networks, we’ve found that 68% of them contain high-risk and critical vulnerabilities.
To make matters worse, IoT devices are highly communicative by design. That means they have a lot of ways of connecting to the internet, as well as with other devices inside the network. This feature makes them extremely vulnerable should a hacker ever gain control over them, for they can then be used like a subway system to travel all throughout the company.
In essence, IoT devices have created a massive new blind spot for companies, and hackers are eagerly taking advantage. A growing number of hacking groups, ranging from data thieves to ransomware gangs and even nation-states, are now actively hunting for IoT devices as a way to sneak inside company networks.
Cyber Espionage and Data Breaches
Cyber espionage and data theft are now significant risks from IoT breaches. Hackers can pivot to IoT devices after gaining entry through a more traditional attack (like phishing) in order to maintain persistence and move laterally through the network. Or they can use IoT devices as a starting point on the network in order to move deeper inside the company without being noticed. In this way, a hacker who begins by breaching an IP security camera can use this foothold to hunt for other vulnerable devices and leapfrog across the network until reaching a more sensitive machine, like a server or an executive’s computer.
IoT devices can also be a target of botnet rings, and can be a direct conduit for eavesdropping, spying and data theft. For example, VoIP phone systems frequently contain high-risk vulnerabilities which allow remote access. In one recent case, my security team discovered over 700 vulnerable VoIP phones inside one company network—which were easy to hijack with a single click of the mouse.
Similarly, my company has seen attacks where hackers gained access to enterprise camera systems in sensitive locations and were then able to spy on operations and executive personnel. Audio and visual (A/V) equipment in conference rooms and boardrooms have also been targeted by cyber espionage actors, in some of the cases we have seen.
Some IoT devices may also store or have access to valuable and sensitive data. Commercial printers, for instance, store print or scanning jobs, which could be accessed by a hacker. Smart sensors used in manufacturing, processing, inventory management and logistics could also expose sensitive information. For example, sensors connected with industrial PLCs (programmable logic controllers) could allow an attacker to gain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing, etc.
Companies can significantly reduce their risk of IoT breaches by taking a few basic steps. Most cyberattacks on IoT take advantage of the fact that 50% of these devices use default passwords and 68% have high-risk vulnerabilities that remain unpatched. Therefore, simply changing the devices’ passwords and updating their firmware will dramatically reduce your risk.
Although many companies use VLANs (virtual local area networks) to segment some of their IoT systems, corporate security teams can also go further in hardening these devices by turning off remote services, disabling excessive connectivity features (including WiFi, Bluetooth and Telnet), and checking for valid certificates (these ensure the IoT device has an authenticated and encrypted connection to the network).
Finally, companies should have accurate inventories of their IoT devices. They need to know exactly how many, what kind and where all of these devices are. IoT devices should also be regularly monitored, the same as traditional IT devices like computers and servers. However, due to the sheer number and variety of IoT devices most companies now have (ranging from thousands to hundreds of thousands of devices), this can be difficult, time-consuming and labor-intensive, so executives should consider investing in automated IoT security solutions that can safely communicate with these devices in their native languages. At the end of the day, a full inventory of your company’s IoT devices is vital, along with regular security updates, hardening and monitoring.