When millions of people around the world were sent home to work at the onset of the global COVD-19 pandemic, they left behind not only empty offices but also a host of Internet of Things (IoT) devices – from smartwatches to networked printers – that were still connected to corporate networks and cranking away.
According to a pair of recent reports from cloud security vendor Zscaler, cybercriminals picked up on this, with the result being a significant surge in malware attacks against these devices. During a two-week period in December 2020, Zscaler analyzed more than 575 million device transactions and blocked more than 300,000 malware attacks aimed at IoT devices, a 700 percent increase over pre-pandemic numbers.
The attacks targeted 553 different types of devices from 212 manufacturers, ranging from digital signage and smart TVs to set-top boxes, IP cameras, and automotive multimedia systems. Zscaler’s ThreatLabz research team also saw such devices as smart refrigerators and musical furniture connected to the cloud and open to attack.
A Push for Zero Trust
The results are a warning to enterprises about the threat posed by the wide array of devices within their environments that are connected to their networks via the cloud. It also feeds into the larger argument for adopting a zero-trust architecture, a methodology that essentially assumes that no user or devices trying to connect to the network can be trusted until they’re authenticated and verified.
The increasingly distributed nature of IT – with data and applications living in and being accessed through the cloud, outside of traditional data centers protected by firewalls and antivirus software – is helping to fuel the zero-trust push, which states that identity is key. It’s gained more momentum in recent weeks with the Department of Defense and the Biden Administration, in reaction to such high-profile attacks as those on SolarWinds, Colonial Pipeline and Kaseya, urging government agencies and private companies to adopt a zero-trust architecture. IoT device security has also been the target of a broad federal effort in recent months.
“For more than a year, most corporate offices have stood mostly abandoned as employees continued to work remotely during the COVID-19 pandemic,” Deepen Desai, chief information security officer (CISO) at Zscaler, said in a statement. “However, our service teams noted that despite a lack of employees, enterprise networks were still buzzing with IoT activity.”
Most Devices Communicate in Plaintext
That activity came from myriad devices, according to the reports. Sixty-five percent of the 553 IoT devices fell into the categories of set-top boxes (29 percent), smart TVs (20 percent) and smartwatches (15 percent), with the home entertainment and automation segment having the greatest variety of devices, the company found.
That said, it was devices like 3D printers, data collection terminals and geolocation trackers in such segments as manufacturing and retail that generated 59 percent of the transactions from IoT devices. Enterprises accounted for 28 percent, followed by healthcare devices at 8 percent.
How the devices communicated was also a problem. ThreatLabz found that 76 percent of all transactions occurred over plain-text channels; 24 percent were over secure encrypted pathways.
“The security risk persists: plaintext communications are much easier for attackers to spy on or, worse, to intercept and modify, allowing them to exploit the IoT devices for malicious purposes,” researchers wrote in one of the reports. “All 553 devices observed in the study used SSL in some capacity, but the percentage of communications that were actually encrypted varied widely by device type.”
Two Malware Groups Lead Attacks
The majority of attacks – 97 percent – came from two malware groups, Gafgyt and Mirai. The former had the most unique payloads of about 900 detected; the payloads of the latter were used more frequently. The attacks also were global in nature. More than 88 percent of compromised IoT devices were routing data back to servers in China, the United States or India – considered “malware destination” countries where the attacks originated.
The victims were primarily in three industries: Technology, which accounted for 40 percent of infections, manufacturing (28 percent) and retail and wholesale (24 percent), with most of the attacks in Ireland, the United States and China.
The threat of connected devices in campus and branch offices will persist. Even once the pandemic lifts, many companies are going to continue letting employees work remotely at least part of each week, among them Siemens, Microsoft, Salesforce and Facebook.
And with the Delta variant of the COVID-19 virus spreading and continued resistance by a large swath of the population to vaccinations, it’s unclear when that pandemic will pass and offices will be bustling with people again. Apple this week said it was delaying the return of employees to the office for at least a month due to rising numbers of positive cases.
Remote Work and Security
The ongoing teleworking environment will continue to scramble the cybersecurity picture, driving the need for a zero-trust architecture that is keyed to identify and not perimeters, according to Joseph Carson, chief security scientist and advisory CISO at privileged access management (PAM) solution provider ThycoticCentrify.
“The change to a hybrid work environment has demonstrated that security must evolve from being perimeter- and network-based to one that is focused on identity and privileged access management,” Carson told eSecurity Planet. “Organizations must adapt and prioritize managing and securing access to the business applications and data similar to BYOD [bring-your-own-device] types of devices. That means further segregation of networks for untrusted devices but secured with strong privileged access security controls to enable productivity and access.”
Remote work also has increased the threat of employees “taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are accessing,” he said. “Employees have taken company devices that may have been dependent on network security such as email gateways, web gateways, intrusion detection systems or firewalls to protect those devices. Now, most of those protections are pretty much useless when the devices have been moved to the public internet.”
Protective Steps to Take
Zscaler laid out steps enterprises can take to protect their managed IoT and BYOD devices from malware in such a distributed environment, including using tools to gain greater insight into all network devices, changing all default passwords and adopting two-factor authentication technology.
In addition, they need to update and patch the software to all IoT-related devices. There also is the zero-trust architecture, according to the ThreatLabz report.
“Enforce strict policies for your corporate assets so that users and devices can access only what they need, and only after authentication,” the researchers wrote. “Restrict communication to relevant IPs, ASNs [autonomous system numbers], and ports needed for external access. Unsanctioned IoT devices that require internet access should go through traffic inspection and be blocked from all corporate data, ideally through a proxy. The only way to stop shadow IoT devices from posing a threat to corporate networks is to eliminate implicit-trust policies and tightly control access to sensitive data using dynamic identity-based authentication – also known as zero trust.”