To add insult to injury, the Internet of Things (IoT) doesn’t just have notoriously poor security, the connected devices are now front and center in the fallout of critical control systems. These days, everyone is taking notice…or maybe not.
In July 2021, the White House warned that if the Russian government didn’t take action against ransomware gangs involved in attacks like that on the Colonial Pipeline, they would. While it’s no secret that destinations like Russia and China are now hotbeds for malicious activity, can we conclude that all the activity going back and forth deserves that designation? A recent report from the Zscaler ThreatLabz threat research team, IoT in the Enterprise: Empty Office Edition, pulls back the curtain to reveal our answer. And as an added bonus, it also sheds light on an eye-opening fact: we aren’t giving IoT security enough attention.
What Happens When IoT Devices Are Left Alone
When the world suddenly shifted over to remote work, corporate offices were desolate, yet still buzzing with activity from IoT devices. Although abandoned, the connected IP cameras, smart TVs, printers, and a variety of other devices continued normal day-to-day activities of refreshing data, performing functions, and awaiting commands.
Regardless of the pounding of headlines constantly reminding us of IoT security risks, many IT and security teams didn’t follow best practices when it came to securing IoT devices. And in our investigation, that led us to find 550 unique IoT device types freely communicating over corporate networks.
But adversaries did have the time and the drive—taking advantage of the chaos, resulting in a 700% increase in IoT-specific malware year over year.
The Intersection of China and Riskiest Devices
Studied over the last two weeks of December 2020, when most non-essential business office locations were shut down, our team gathered data from Zscaler cloud customers on IoT malware and IoT device fingerprinting to identify IoT devices and traffic. Not surprisingly, manufacturing and retail devices accounted for 59 percent of transactions. However, what was also noteworthy was something much less prominent—the five percent of transactions from entertainment and home automation devices.
Despite accounting for the lowest total traffic of all categories, entertainment and home automation had the most device variety and included a number of consumer devices—a total of 420 devices from 150 different manufacturers. Not only that, but the devices topped the charts in the percentage of traffic using plaintext communications. The importance here is that without encrypting communications, these devices are easier for attackers to spy on or, worse, to intercept and modify for malicious purposes.
So where do China and Russia fall in all of this? Turns out that entertainment and home automation devices are much more likely to route to these locations--particularly China--than devices from the other categories we investigated. While much of this is legitimate, non-malicious traffic, Zscaler ThreatLabz and the White House consider the destinations to be suspicious due to their potential for government spying and other data vulnerabilities.
During our data analysis, we also discovered that almost all (99.9%) of this suspicious traffic came from smart TVs and set-top boxes. So who knows, it might not be malware. Maybe Xi Jinping is simply trying to intercept his favorite reality show? If nothing else, we can gain some comic relief from the thought.
Suspicious or Not: Use Zero Trust
As the list of connected devices continues to grow, permeating our corporate networks (and less secure WiFi networks as we work from anywhere), it is almost impossible to keep adversaries from sensitive data and crown jewels as they move laterally throughout our networks. Zscaler’s recent research reaffirms that.
To mitigate the threat of IoT malware, both from sanctioned and unsanctioned devices, a zero trust architecture is the only way forward. The reality is that most IoT devices have no business interacting with your corporate data or applications, period. Rather than trying to conclude and react to if it’s a nation state attack, a dictator watching his programs, or a harmless Tesla pulling up in the parking lot, it’s best to assume that all activity cannot be trusted and stop unrestricted network access. By shifting from legacy network-centric security to a zero trust architecture, you can achieve this by eliminating implicit-trust policies and tightly controlling access using dynamic identity-based authentication. Then, only when you know who the user is, what the device is, and whether that user and device are allowed to access the application will the trusted person or device be able to touch the network.
With zero-trust security architectures and policies in place, enterprises can feel confident that even as employees begin to return to the office, their smartwatches won’t be an open door into the network for malware.
Want more insight into what was really happening with our IoT devices over the course of the pandemic? Get your copy of IoT in the Enterprise: Empty Office Edition.