Sean Rosenberger wrote this article in 2017. The title was, “InfoSec and the Great IoT gold rush”. Ever since we have seen the Internet of Things revolutionize how we interact with technology and connect everyday devices and systems to the Internet. All in a bid to make our lives more convenient and efficient. However, the rapid proliferation of IoT devices has also brought about significant challenges.
IoT security risks facts and figures
Let’s look at some facts and figures:
Explosive Growth: According to the recently published “State of IoT—Spring 2023” report by IoT Analytics, the global count of IoT connections experienced an 18% growth in 2022, reaching 14.3 billion active IoT endpoints. The report predicts a 16% increase in connected IoT devices for 2023, projecting 16 billion active endpoints. Although the growth rate for 2023 is expected to be slightly lower compared to 2022, the report suggests that the upward trend in IoT device connections will persist for the foreseeable future.
Vulnerabilities: In a survey conducted by Gartner, it was revealed that over 25% of identified enterprise attacks would involve IoT devices by 2023, highlighting the increasing focus of cybercriminals on exploiting weaknesses in connected systems.
Major Cybersecurity Breaches: Notable incidents in recent years have exposed the vulnerabilities of IoT devices. For instance, the 2016 Mirai botnet attack harnessed compromised IoT devices to launch a DDoS (Distributed Denial of Service) attack, leading to massive disruptions and outages across the Internet.
Economic Impact: According to a report by Accenture, the global economy could face potential losses of up to $5.2 trillion over the next five years due to IoT-related cyberattacks. This estimation emphasizes the urgent need for effective risk mitigation strategies.
Privacy Concerns: IoT devices often collect and transmit vast amounts of personal data. The vast majority, approximately 92%, of Americans express apprehension regarding their privacy while utilizing the Internet.
Challenges in managing IoT risks
Several factors have compromised security for connected devices, one of the most significant being…us. Most people who own personal computers have at least some concept of maintaining security. On the other hand, virtually no one considers the need for security concerning a smart washing machine, a DVR, or an Internet-enabled garage door opener. When that lack of awareness is combined with the tendency of manufacturers to pay short shrift to harden the operating systems for this class of device due to a desire to bring innovations to market (and some of same myopia shown by users), the result is a population of devices with a myriad of vulnerabilities.
Corresponding rise of threats leveraging IoT
Unfortunately, along with this proliferation of rapidly developed and often insecure devices comes an attendant rise in the frequency, scale, and effectiveness of coordinated misuse. The pervasive lack of security intrinsic to these early generations of devices is primarily enabled by secretly taking control over large numbers of connected devices and leveraging them in the aggregate to conduct various attacks. These groups of IoT devices, called botnets, have already done significant harm in massive DDoS attacks, and the threat is growing.
Mirai
Mirai, identified in the summer of 2016, is malware that infects IoT devices running Linux by leveraging known default passwords. Once infected, the malware proliferates by scanning for other devices with the same vulnerabilities and infecting them.
A botnet using Mirai was employed in September 2016 in a 620 Gbps DDoS attack on the “Krebs on Security” site, along with a 1.1 Tbps attack on French web host OVH. On October 21st, 2016, DDoS attacks targeting Dyn (a DNS service provider) were launched using an estimated 100K IoT devices, severely impacting well-known sites like Twitter, Netflix, Reddit, and others.
Reaper
Called Iotroop by CheckPoint, the Israeli security firm credited with initial discovery and redubbed Reaper by Netlab 360, Reaper is emergent malware with similar worm capabilities as Mirai and using some common elements. However, it differs significantly in that Mirai exploited common default passwords. In contrast, Reaper attacks several vulnerabilities in the operating systems of devices made by over a dozen companies and does so more quietly than Mirai. Currently, there are only 10-20K devices in the active botnet, but with greater than 2M devices infected, there is potential for the most significant known botnet to date. Given the havoc wreaked by the Mirai botnets, this is cause for concern.
The need for Zero Trust in mitigating IoT security risks
The zero Trust security concept assumes no user, device, or network component should be outrightly trusted by default. Instead, it demands continuous validation and verification of devices and identities, regardless of the context or location. This approach can enable your organization to establish granular control, visibility, and improved risk mitigation across your IoT ecosystem.
Expanding Attack Surface: The proliferation of IoT devices has dramatically expanded the attack surface, leaving organizations vulnerable to sophisticated cyber threats. From connected medical devices to smart homes and industrial control systems, the diverse range of IoT endpoints demands a comprehensive security strategy.
Insider and External Threats: Traditional perimeter-based security models are ill-equipped to address the increasing number of insider threats and external attackers targeting IoT devices. Zero Trust provides a proactive and continuous authentication framework that mitigates the risks compromised devices and malicious actors pose.
Data Privacy Concerns: IoT devices often collect and transmit vast amounts of sensitive data, making them attractive targets for data breaches and privacy violations. Zero Trust reinforces data protection by ensuring strict access controls, encryption, and data segmentation, reducing the potential impact of a security breach.
The Path Forward
The Zero Trust approach presents a transformative perspective on IoT security, acknowledging the inherent risks associated with devices and users. By assuming a default stance of distrust, organizations and individuals can adopt a proactive and holistic strategy to safeguard their IoT ecosystems against ever-evolving threats. Embracing the principles of Zero Trust, such as continuous authentication, micro-segmentation, and data protection, establishes a resilient security foundation for the interconnected world. This approach enables us to harness the vast potential of IoT technology while effectively mitigating the risks posed to critical assets and data.