Zscaler released a study examining the state of IoT devices left on corporate networks during a time when businesses were forced to move to a remote working environment.
The report analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked over the course of two weeks in December 2020 – a 700% increase when compared to pre-pandemic findings. These attacks targeted 553 different device types, including printers, digital signage and smart TVs, all connected to and communicating with corporate IT networks while many employees were working remotely during the COVID-19 pandemic.
The research team identified the most vulnerable IoT devices, most common attack origins and destinations, and the malware families responsible for the majority of malicious traffic to better help enterprises protect their valuable data.
“For more than a year, most corporate offices have stood mostly abandoned as employees continued to work remotely during the COVID-19 pandemic. However, our service teams noted that despite a lack of employees, enterprise networks were still buzzing with IoT activity,” said Deepen Desai, CISO of Zscaler.
“The volume and variety of IoT devices connected to corporate networks is vast and includes everything from musical lamps to IP cameras. Our team saw 76 percent of these devices still communicating on unencrypted plain text channels, meaning that a majority of IoT transactions pose great risk to the business.”
What IoT devices are most at risk from malware?
Out of over a half a billion IoT device transactions, 553 different devices from 212 manufacturers were identified, 65 percent of which fell into three categories: set-top boxes (29 percent), smart TVs (20 percent), and smartwatches (15 percent).
The home entertainment & automation category had the greatest variety of unique devices but they accounted for the least number of transactions when compared to manufacturing, enterprise, and healthcare devices.
Most traffic instead came from devices in manufacturing and retail industries – 59 percent of all transactions were from devices in this sector and included 3D printers, geolocation trackers, automotive multimedia systems, data collection terminals like barcode readers, and payment terminals.
Enterprise devices were the second most common, accounting for 28 percent of transactions, and healthcare devices followed at nearly 8 percent of traffic.
A number of unexpected devices connecting to the cloud were also dicovered, including smart refrigerators and musical lamps that were still sending traffic through corporate networks.
The team also looked closely at activities specific to IoT malware tracked in the cloud. Volume-wise, a total of 18,000 unique hosts and roughly 900 unique payload deliveries were observed in a 15-day timeframe.
Malware families Gafgyt and Mirai were the two most common families encountered by ThreatLabz, accounting for 97 percent of the 900 unique payloads. These two families are known for hijacking devices to create botnets – large networks of private computers that can be controlled as a group to spread malware, overload infrastructure, or send spam.
Who is being targeted?
The top three nations targeted by IoT attacks were Ireland (48 percent), the United States (32 percent), and China (14 percent).
The majority of compromised IoT devices, nearly 90 percent, were observed sending data back to servers in one of three countries: China (56 percent), the United States (19 percent), or India (14 percent).
How can organizations protect themselves?
As the list of “smart” devices out in the world grows on a daily basis, it’s almost impossible to keep them from entering your organization. Rather than trying to eliminate shadow IT, IT teams should enact access policies that keep these devices from serving as open doors to the most sensitive business data and applications. These policies and strategies can be employed whether or not IT teams (or other employees) are on-premises.
Here are some tips to mitigate the threat of IoT malware, both on managed and BYOD devices:
- Understand all your network devices. Deploy solutions able to review and analyze network logs to understand all devices communicating across your network and what they do.
- Change all default passwords. Password control may not always be possible, but a basic first step for deploying corporate-owned IoT devices should be to update passwords and deploy two-factor authentication.
- Update and patch regularly. Many industries—particularly manufacturing and healthcare—rely on IoT devices for their day-to-day workflows. Make sure you stay apprised of any new vulnerabilities that are discovered, and that you keep device security up-to-date with the latest patches.
- Isolate IoT networks. Install IoT devices on their own, siloed networks to prevent lateral movement, with restrictions on inbound and outbound network traffic. Similarly, restrict access as much as possible from external networks by only allowing communication with relevant IPs and ASNs, blocking unnecessary ports from external access.
- Implement a zero trust architecture. The only way to stop shadow IoT devices from posing a threat to corporate networks is to eliminate implicit-trust policies and tightly control access to sensitive data using dynamic identity-based authentication – also known as zero trust.