While the Delta variant of COVID-19 has upended some companies’ plans for a swift return to work this fall, there’s another danger looming for those coming back to the office: Millions of long-forgotten Internet of Things (IoT) devices left behind in the rush to move workers to home offices 18 months ago.
In March 2020, as the world went home and IT teams scrambled to get new networks up and secure, forgotten or abandoned IoT devices remained connected to office WiFi and internet connections—and continued to gather data.
Attackers also noticed this, according to a report published by security firm Zscaler’s ThreatLabz in July. To study the issue, researchers looked at data from half a billion IoT transactions between Dec. 15 and Dec. 31, 2020, when most offices were still abandoned due to the pandemic and the holiday season.
The researchers found attackers targeting a number of common IoT devices, including connected office equipment such as printers and IP cameras, to help create and add to malicious botnets. The report also noted that smart TVs and automobiles were also ensnared in these attacks.
Many of these devices used unsecured, unencrypted channels for transferring data, the report found. “The ever-growing breadth of IoT devices that makes its way onto corporate networks includes everything from smart watches and IP cameras to automobiles and musical furniture,” according to the Zscaler researchers. “Seventy-six percent of the transactions occur on unencrypted plain text channels, though all devices use [secure socket layer] for at least a subset of their communications.”
Even before the COVID-19 pandemic, IoT and other connected devices had greatly expanded the attack surface, giving threat actors additional entry points to vulnerable networks. The past 18 months has made the problem even more complicated, said AJ King, CISO at security firm BreachQuest.
“Security leadership are all too aware of the threats posed by IoT devices in corporate environments. These devices generally don’t support endpoint detection and response or other security agents, don’t integrate with vulnerability management platforms and tend to be black boxes when it comes to functionality,” King told Dice.
“There is little question that unbranded, feature-comparable IoT devices have more vulnerabilities than their branded counterparts,” King added. “Further, they are typically less responsive—or completely unresponsive—in providing patches or mitigations. But end-users may only see the lower price and not understand that translates into higher risk.”
Hybrid Work and IoT
Even before the pandemic, the threats that unsecured or poorly secured IoT devices posed to corporate networks—even when these connected devices didn’t have a specific IT use—had become obvious.
In February 2020, Check Point Research published a report that found attackers could use vulnerabilities in smart light bulbs to attack a wide array of home or corporate networks, using these to launch malware or ransomware.
The consumerization of IT, along with a rush to digitize almost all office functions, has helped expand the threat landscape, which is why IoT devices and the data that they hold have become an increasing security headache, said Tyler Shields, CMO of security firm JupiterOne.
“More apps, more data in the cloud, more digital experiences means more targets of both opportunity and chance,” Shield told Dice. “There will be a continued increase in data compromise as we move more and more of our daily life into the cloud. We’ve really only just begun to see the expansion of digital experiences and the attacks that will grow alongside them.”
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, noted that the COVID-19 pandemic has spelled the end of the traditional network perimeter. This means security and IT teams need to develop a new mindset for how to protect data, especially when these vulnerable IoT devices are deployed by workers, whether at home or in the office.
“Businesses must adapt and prioritize managing and securing access to the business applications and data similar to BYOD types of devices,” Carson said. “That means further segregation of networks for untrusted devices, but secured with strong privileged access security controls to enable productivity and access.”
The numbers bear this out. The Zscaler researchers found that IoT malware on corporate networks increased 700 percent in 2020 compared to 2019. This increase is notable for its sheer scale as well as the fact that most of the workforce was at home during that year.
Carson is not surprised about those increases, since the pandemic meant normal security protocols were missed or ignored. Employees also gained access to data, apps or devices that had been previously forbidden or at least limited.
“Remote work significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are accessing,” Carson said. “Employees have taken company devices that may have been dependent on network security such as email gateways, web gateways, intrusion detection systems or firewalls to protect those devices. Now, most of those protections are pretty much useless when the devices have been moved to the public internet.”
While the Zscaler report focused mainly on the threat to IoT and connected devices—and how attackers can use these vulnerable devices to create larger and larger botnets—security experts also see other problems once workers start returning to offices.
Brendan O’Connor, CEO and co-founder at AppOmni, noted the increasing use of cloud-based and SaaS applications over the last 18 months has also led to elevated security concerns, especially when these apps are accessed through IoT or other third-party connected devices.
“We find that while companies are eager to use these access points to increase the functionality of their cloud and SaaS systems, they often neglect to secure and monitor them in the same way they’ve secured access from their corporate network, leading to major access vulnerabilities that may be completely unknown to the company,” O’Connor said.
In this case, relying on in-house cybersecurity skills might not be enough. Organizations might have to rely more on automation and the help of third parties to ensure security.
“Since the complexity of cloud and SaaS environments—and the associated security configurations—will only continue to increase, companies will need to use automated tools to ensure that their security settings match their business intent, and to continuously monitor security controls to prevent configuration drift,” O’Connor said. “This is simply no longer a task that teams will be able to keep up with using only manual processes.”