New IoT Exploits Illustrate the Need for Improved Security

An estimated 500 million smart speakers installed in homes across the globe create a range of conveniences, allowing their owners to check the weather, listen to music, shop online and more with a simple voice command. At the same time, however, these devices can be the source of some creepy security risks.

Academic researchers in England and Italy recently developed an exploit that makes a smart speaker such as Amazon Echo hack itself. Malicious actors could use the technique to force the speaker to control any smart devices in the home, including door locks, light switches, security cameras, ovens, microwaves, furnaces and refrigerators. Hackers could also use the exploit to make unauthorized purchases using the victim’s Amazon account.

It's just the latest example of how hackers can target connected Internet of Things devices. Kaspersky researchers identified more than 1.5 billion IoT attacks in the first six months of 2021, more than twice the number for the previous six-month period.

IoT’s Security Gaps

The weaponization of IoT devices is not a new phenomenon. Billions of devices are being compromised each year as malicious actors exploit a variety of security gaps to organize botnets, steal data, launch denial of service attacks or mine cryptocurrency.

Most IoT devices are vulnerable because they have few built-in security controls. Due to their small form factor and lack of processing power, manufacturers often eliminate encryption and other security controls to reduce power consumption. Studies suggest that up to 98 percent of all IoT traffic is unencrypted. Additionally, manufacturers frequently hardcode devices with a single default password to streamline deployment, creating a heightened risk of unauthorized access.

Other factors contribute to IoT device vulnerabilities. The IoT is a highly distributed architecture comprising many different devices, sensors, processors, hardware interfaces, wireless gateways and edge servers, which means there are a variety of possible attack vectors. In addition, different devices have different hardware, software and operating systems that support different security protocols.

Insecure Wi-Fi networks also create risk. Most IoT devices transmit data via Wi-Fi, and malicious actors can exploit Wi-Fi security weaknesses to steal data in transit or to launch man-in-the-middle attacks to steal credentials, exfiltrate data or install malware.

Gaining Visibility

Poor visibility is another problem. IoT devices are being deployed by multiple departments, business units and teams, so IT teams seldom know how many devices are connecting to the corporate network. In a recent ESG study, 75 percent of IT organizations reported a widening visibility gap in their IoT device initiatives.

You obviously can’t secure devices if you don’t know they exist. To improve visibility into the IoT environment, organizations need tools that discover devices and mitigate potential threats. Extended detection and response (XDR) solutions not only detect IoT endpoints connecting to the network, but collect and correlate real-time data about those devices to provide insight into potential security risks.

In addition to implementing XDR, here are some other recommendations for minimizing IoT risk:

• Change the default password on all devices and disable any unneeded features.

• Develop policies for keeping IoT devices and applications up-to-date to protect against emerging security vulnerabilities.

• Consider using network segmentation and access control policies to isolate IoT devices and prevent threats from moving laterally through the corporate network.

• Secure the wireless network with Wi-Fi 6 access points featuring WPA3 encryption, which can prevent many brute-force attacks.

• Use a next-generation firewall to ensure that IoT devices are connecting to safe locations, reducing the chances of devices being remotely exploited.

We recognize that managing and securing ever-expanding IoT environments is a tall order for resource-strapped IT departments. We can deliver the resources you need through our SSD Assurance program. Contact us to learn more.