In the study “IoT in the Enterprise: Empty Office Edition”, Zscaler, Inc. analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks that were blocked by the Zscaler Security Cloud over the course of two weeks in December 2020. Compared to pre-pandemic research, malware attacks on IoT devices have increased by 700 percent.
These attacks targeted 553 different types of devices such as printers, digital signage and smart TVs connected to corporate IT networks while many employees were working remotely because of the COVID-19 pandemic. The Zscaler ThreatLabz research team identified the most vulnerable IoT devices, the most common sources and targets, and the malware families responsible for the majority of malicious traffic to better help organizations protect their valuable data.
“For more than a year, most corporate offices were largely empty as employees continued to work remotely during the COVID-19 pandemic. However, our service teams found that the company networks were buzzing with IoT traffic even without employees, ”says Deepen Desai, CISO at Zscaler. “The volume and variety of IoT devices connected to corporate networks is enormous and includes everything from music lights to IP cameras. Our team found that 76 percent of these devices are still communicating over unencrypted clear text channels, so these IoT transactions create a high risk potential for companies. “
Which devices are most at risk?
Of the more than half a billion IoT device transactions, Zscaler identified 553 different devices from 212 manufacturers, 65 percent of which fell into three categories: set-top boxes (29 percent), smart TVs (20 percent) and smartwatches (15 percent) . The “Home Entertainment & Automation” category had the greatest variety of unique devices, but compared to devices from the “Manufacturing”, “Enterprise” and “Healthcare” sectors, they accounted for the lowest number of transactions.
Instead, most of the traffic came from manufacturing and retail devices – 59 percent of all data transactions came from these devices and included 3D printers, geolocation trackers, multimedia systems for vehicles, data collection terminals such as barcode readers and payment terminals. Corporate devices were the second most common, accounting for 28 percent of transactions, and healthcare devices followed with nearly 8 percent of traffic.
ThreatLabz also discovered a number of unexpected devices that connected to the cloud, including smart refrigerators and music lights, that were still sending traffic through corporate networks.
Who is responsible for that?
The ThreatLabz team also examined the specific activities of IoT malware revealed in the Zscaler cloud. A total of 18,000 individual hosts and around 900 individual payloads were observed over a period of 15 days. The ThreatLabz team came across the two malware families Gafgyt and Mirai the most frequently. They made up 97 percent of the 900 payloads. These two families are known to hijack devices to create botnets – large networks of private computers that can be controlled as a group to spread malware, overload infrastructure, or send spam.
Who will be targeted?
The three countries most frequently targeted by IoT attacks were Ireland (48 percent), the United States (32 percent) and China (14 percent). Almost 90 percent of the compromised IoT devices sent data back to servers in one of the three countries China (56 percent), the USA (19 percent) or India (14 percent).
How can organizations protect themselves?
With the list of “smart” devices growing almost daily around the world, it is next to impossible to keep them away from businesses. Rather than trying to eliminate this type of shadow IT, IT teams should put in place access policies that prevent these devices from opening doors to the most sensitive business data and applications on the network. These guidelines and strategies can be applied regardless of whether the IT teams (or other employees) are on-site or not. ThreatLabz recommends the following tips to reduce the IoT malware threat on both managed and– contain devices:
- Insight into all devices in the network. Implement solutions that are able to review and analyze network protocols to gain insight into what devices are communicating on a network and what they are doing.
- Change all standard passwords. Controlling passwords may not always be possible, but a basic first step in using corporate IoT devices should be to update passwords and use two-factor authentication.
- Regular updates and patches. Many industries – especially manufacturing and healthcare – rely on IoT devices for their day-to-day workflows. Organizations should ensure that they are kept abreast of any newly discovered vulnerabilities and keep device security up to date with the latest patches.
- Implement a zero trust security architecture. Strict corporate resource policies in place so that users and devices can only access what they need when authenticated. Limiting communication to relevant IPs, ASNs and ports that are required for external access. Unauthorized IoT devices that require Internet access should undergo a traffic inspection and be shielded from all company data, ideally via a proxy. To ensure that shadow IoT devices do not pose a threat to corporate networks, implicit trust must be prevented and strict access control to sensitive data must be in place, which can be done with the help of dynamic identity-based authentication as with Zero Trust.