Why unsecured consumer IoT systems are now a major business problem

Hello, Khabrovites! The first in Russia online course IoT developer will start at OTUS in October. Recruitment for the course is open right now, in connection with which we traditionally share with you the translation of the material on the topic.










Most businesses are likely to have at least one employee with a vulnerable device. For cyber criminals, one is enough.







In the consumer realm, Internet of Things (IoT) technology has long been renowned for its extremely crappy security.



Homes today are awash with internet-connected devices - whether it's an espresso machine with an app or a security camera with Wi-Fi connectivity. Consumer electronics will account for 63% of all installed IoT devices in 2020, according to Statista. These devices may collect data about their users, which is sent back to service providers to help improve their products. Manufacturing these devices is a lucrative business, and as demand grows, consumers are increasingly buying cheaper economy class devices. The problem is that their security standards are usually pretty weak.



Until recently, security vulnerabilities and security holes in the consumer Internet of Things (IoT) weren't a big deal in the business world - privacy-savvy executives just had to reach out to turn off office Alexa during a mission-critical meeting. But since only a third of workers are expected to return to the office by fall, the worker's home has become a workplace; if flooded with insecure IoT, this is a serious cybersecurity issue. 15% of IoT device owners still use default passwords , so it is highly likely that most businesses will have at least one employee with a vulnerable device - cybercriminals no longer need it.



“Most IoT devices purchased for the home are relatively cheap, in part because manufacturers don't put much effort into protecting them in hardware or software,” said Darryl Jones, director of IoT product management at ForgeRock. as a digital identity specialist in a conversation with TechHQ.



"From poor credential management, outdated firmware and redundant hotspots left behind on consumer devices to infrequent security updates, these devices often don't claim to be secure to begin with."



In 2020, cybercrime chiefs and deputies were overwhelmed by the surge in cybercrime. The number of phishing emails exploiting quarantine circumstances has skyrocketed, and the sudden migration of the workforce to remote work has led to an increase in the number of new endpoints that need to be protected. As businesses and employees moved online, criminals followed in droves.



At the same time, in 2019 alone, the number of cyber attacks on IoT devices increased by 300% and is likely to continue to grow.



The most notorious example of the vulnerability of IoT devices was the wave of DDoS attacks by the Mirai botnet in 2016, which at some point resulted in the inability to access the Internet onthe entire east coast of the United States . The US government initially suspected it was a pariah country, but the culprit was a network of 400,000 compromised consumer IoT devices turned into weapons by a disgruntled Minecraft player.



So why are business leaders caught off guard by the consumer IoT threat?



“Simply put, the pandemic has changed the situation. They used to play chess, now they need to play checkers, ”says Jones. “Device vulnerabilities have existed since the beginning, but the huge increase in the number of employees working from home and the steady rise in numbers due to the pandemic have increased the severity of the problem by an order of magnitude.



"While CIOs have worked to secure their devices and networks for years, these changes pose new challenges for both business leaders and CIOs."



Jones suggests that revised cybersecurity strategies geared towards the future of distributed work must address the growing threats not only in terms of Bring Your Own Device (BYOD), but also other employee-owned devices that can access the network.



“Companies should investigate new home technologies that separate the corporate network so that a disruption to the part of the network that contains consumer devices does not compromise the part that is used for corporate purposes,” says Jones.



One approach is for companies to require only private Wi-Fi networks to be created for corporate devices - a guideline that the FBI has promoted on numerous occasions.in USA. The government should also lay down codes of best practice, or better yet, legislation when it comes to the security of IoT devices. Last year, Finland became the first European country to certify secure smart devices, where products that meet the required standard receive a clearly visible “cybersecurity mark” .



“Unique digital identity should be the new security base as it can be used to protect devices in the workplace, as well as existing or new home devices. In addition, implementing the Zero Trust or CARTA security model can help with this new norm by ensuring that every interaction is secure and understanding the normal behavior of the device and user to detect suspicious interactions, ”says Jones.



"Companies must also adopt new corporate security and employee training policies that require the use of private networks, and restrict the use of those networks to only corporate devices."



“Early detection of intrusions is also critical. Companies should have solutions to detect anomalies, including when a new device is connected to the network, as well as other monitoring solutions - endpoints, behavioral, network ... "






All Articles