IoT Security Dangers Loom as Office Workers ReturnResearchers: Home- and Office-Connected Devices Vulnerable to Attack
With corporate America beginning to ask employees to come back to their offices in the fall, cybersecurity teams have the huge task of ensuring that the work environment is safe. This is particularly true of IoT devices, as many have been left unprotected for months.
In March 2020, IT and cybersecurity teams began setting up workers to operate from home, and few had time to worry about the IoT devices left behind, says Mark Ostrowski, head of engineering for security firm Check Point.
"Early in the pandemic, the focus of security was to transform their workforce connectivity (remote access), which assumed the primary method of access to corporate functions. Secondarily to that transformation was implementing and shifting application load to the cloud," Ostrowski says.
This rush to the exits opened the doors wide open for cybercriminals.
A recent report by Zscaler's ThreatLabz team notes that during the past 18 months, attackers launched unprecedented waves of attacks against IoT devices that office workers essentially abandoned when they started working from home. These devices now have to be secured along with all the devices that workers used at home or bought while away from their office desk.
The devices attackers targeted - often to fuel botnet development - included office equipment such as printers and IP cameras, but also smart TVs and automobiles. Making it even easier for a malicious actor to intercept and swipe data is the fact that 76% of all communication taking place from and between these devices is through unencrypted plain-text channels, Zscaler says.
Deral Heiland, principal security research for IoT at Rapid7, says the attack surface is even wider regarding IoT devices in a modern corporate setting.
"Often, IoT devices seem to have crept into the environment over the years - such as office cafeteria room appliances, coffee makers, toasters - let alone the standard business technology, including conferencing systems, TVs, printers and security cameras," he says.
Heiland notes that when offices shut down, it would have been the perfect opportunity for IT teams to redesign networks to support IoT technologies in the workplace but, understandably, this did not happen. The task, however, might be accomplished now, he says.
Heading Off to Work
Ensuring the safety of an organization's network and data as employees begin return to offices means a great deal of preparation work has to be done. The first step is cataloging all the IoT devices in use and assigning ownership, Heiland says.
"Most, if not all, of these IoT-based technologies should be segmenting into VLANs so they cannot gain access to the business network," he notes.
The fact that offices were unused spurred some changes that further weakened cybersecurity, Ostrowski says.
Check Point says one of its customers installed more than 6,000 connected light bulbs to gain energy efficiency in empty offices, but the security team was not aware of this initiative.
"The potential vulnerability of IoT is very clear; these devices are more numerous than user devices. They are mostly unmanaged and run firmware based on platforms that are largely exploitable, such as Android and Linux," Ostrowski says. "Identifying, classifying and assuring that these devices have the least amount of access required, zero trust, are the key steps."
In the healthcare sector, air-gapping IoT is very important, he points out.
Other recommendations made by Rapid7's Heiland include:
- Ensure all IoT technology is part of the corporate patch management program;
- Implement an incident detection and response program that includes IoT devices;
- Monitor communication to and from these IoT devices to allow identification of compromised devices.
"For example, printers and also some security cameras regularly do not have passwords properly configured on them, creating an easy avenue, if the organization is breached, for malicious actors to hide and pivot on a network with a low chance of being detected," Heiland says.
Bringing in Danger
The IoT devices intentionally added to a network are only part of the problem facing IT teams. Employees working from home not only bought additional IoT devices to help them work more efficiently in their new location, but also have been operating company laptops and phones across home and other networks that may or may not be fully secure.
Viral Gandhi, senior security researcher for mobile and IoT with Zscaler, notes that home networks are generally less secure, so there is a possibility attackers took the opportunity to plant malware while the devices were away from their office networks.
"Combating this problem requires a combination of visibility, architecture and policy enforcement," Gandhi says. "IT teams need visibility into the unsanctioned devices in their environment and should be inspecting all encrypted and unencrypted traffic going to the internet. Utilizing zero trust is the only way to ensure that these devices don't leave them vulnerable to data exposure."
Ostrowski adds that IoT and mobile device security should be top of mind for all security teams. These devices are quickly becoming the dominant devices on networks at home and in the workplace, so the same level of visibility and prevention needs to be in place as with other network devices.
Empty Offices Attacked
As millions of workers streamed out of their offices in March 2020 and began to work from home, cybercriminals began attacking the now uncountable number of IoT devices left behind.
Zscaler reports that during 2020, the amount of IoT malware on corporate networks increased 700% over the previous year, despite much of the global workforce working from home. This equated to 833 IoT attempts to place malware on a device per hour, according to Zscaler's tracking.
Almost all of the attacks were attempts to pull these now unused devices into botnet armies.
The attacks were highly concentrated in just a few areas:
- 97% of the malware tracked belonged to the Gafgyt and Mirai botnet families;
- Devices in the technology (40%), manufacturing (29%), retail and wholesale (24%) and healthcare (5%) sectors accounted for 98% of IoT attack victims;
- Attackers from the U.S., China and India were responsible for most incidents;
- Most victims were located in Ireland, the U.S. and China.