Why attackers love to target IoT devices

Why attackers love to target IoT devices

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More



Lacking designed-in security and plagued with chronic default password use, Internet of Things (IOT) devices are quickly becoming attackers’ favorite targets. Add to that the rapid rise of the many different roles and identities assigned to each advanced IoT sensor in an operations technology (OT) network, and their proximity to mission-critical systems running a business, and it is no surprise attackers love to target IoT devices.

Forrester’s recent report, The State of IoT Security, 2023, explains the factors contributing to IoT devices’ growing popularity with attackers worldwide. 

IoT attacks are growing at a significantly faster rate than mainstream breaches. Kaspersky ICS CERT found that in the second half of 2022, 34.3% of all computers in the industrial sector were affected by an attack, and there were 1.5 billion attacks against IoT devices during the first half of 2021 alone. Malicious objects were blocked on more than 40% of OT systems. SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021.

Most common targets bar chart. IoT devices are easy targets, giving attackers gaps to exploit and deliver ransomware, malicious code, and launch intrusion attacks.IoT devices are easy targets, presenting attackers with gaps they can exploit to deliver ransomware and malicious code and launch intrusion attacks. Source: Forrester, The State of IoT Security, 2023

Ritesh Agrawal, CEO of Airgap Networks, observes that while IoT endpoints may not be business critical, they can be easily breached and used for spreading malware straight to an organization’s most valuable systems and data. He advises organizations to insist on the basics — discovery, segmentation and identity – for every IoT endpoint.

Event

Transform 2023








Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.






Register Now


In a recent interview with VentureBeat, Agrawal advised organizations to look for solutions that don’t require forced upgrades and won’t disrupt IoT networks during deployment — two of several design goals he and his cofounder defined when they created Airgap Networks. 

The making of a high-value target

IoT devices are under attack because they are easy targets that can quickly lead to large ransomware payouts in industries where uptime is vital to surviving. Manufacturing is particularly hard-hit as attackers know any factory or plant can’t afford to be down for long, so they demand two to four times the ransom than they might from other targets. Sixty-one percent of all breach attempts and 23% of all ransomeware attacks are aimed primarily at OT systems.

Forrester investigated why IoT devices are becoming such a high-value target and how they are being used to launch broader, more devastating attacks across organizations. The four key factors they identified are the following:

1. IoT devices’ security blind spots are designed in.

Most legacy, currently installed IoT devices weren’t designed with security as a priority. Many lack the option of reflashing firmware or loading a new software agent. Despite these limitations, there are still effective methods for protecting IoT endpoints.

The first goal must be to close the blindspots in IoT sensors and networks. Shivan Mandalam, director of product management, IoT security at CrowdStrike, told VentureBeat during a recent interview that “it’s essential for organizations to eliminate blindspots associated with unmanaged or unsupported legacy systems. With greater visibility and analysis across IT and OT systems, security teams can quickly identify and address problems before adversaries exploit them.”

Leading cybersecurity vendors who have IoT security systems and platforms in use today include AirGap Networks, Absolute Software, Armis, Broadcom, Cisco, CradlePoint, CrowdStrike, Entrust, Forescout, Fortinet, Ivanti, JFrog and Rapid7. Last year at Fal.Con 2022, CrowdStrike launched augmented Falcon Insight, including Falcon Insight XDR and Falcon Discover for IoT that targets security gaps in and between industrial control systems (ICSs).

Top security priorities bar chart. Forrester's 2022 data shows that 63% of global senior security decision-makers increased their IoT security budget from 2022 to 2023, accentuating how many security and IT teams have the budget to get endpoint security right. Source: Forrester, The State Of IoT Security, 2023Forrester’s 2022 data shows that 63% of global senior security decision-makers increased their IoT security budgets from 2022 to 2023, accentuating how many security and IT teams have the budget to get endpoint security right. Source: Forrester, The State Of IoT Security, 2023

2. Chronic admin password use, including credentials, is common.

It’s common for short-handed manufacturing companies to use the default admin passwords on IoT sensors. Often they use default settings because manufacturing IT teams don’t have the time to set each one or aren’t aware the option to do so exists. Forrester points out that this is because many IoT devices don’t require users to set new passwords upon initialization, or require organizations to force setting new passwords. Forrester also notes that administrative credentials often can’t be changed in older devices.

Hence, CISOs, security teams, risk management professionals and IT teams have new and old devices with known credentials on their networks.

Leading vendors providing security solutions for improving IoT endpoint security at the password and identity level include Armis, Broadcom, Cisco, CradlePoint, CrowdStrike, Entrust, Forescout, FortinetIvanti and JFrog. Ivanti is a leader in this area, having successfully developed and launched four solutions for IoT security: Ivanti Neurons for RBVM, Ivanti Neurons for UEM, Ivanti Neurons for Healthcare, which supports the Internet of Medical Things (IoMT), and Ivanti Neurons for IIoT based on the company’s Wavelink acquisition, which secures Industrial Internet of Things (IIoT) networks.   

“IoT devices are becoming a popular target for threat actors, with IoT attacks making up more than 12% of global malware attacks in 2021, up from 1% in 2019, according to IBM,” explained Dr. Srinivas Mukkamala, chief product officer at Ivanti, in a recent interview with VentureBeat. “To combat this, organizations must implement a unified endpoint management (UEM) solution that can discover all assets on an organization’s network — even the Wi-Fi-enabled toaster in your break room.”

“The combination of UEM and risk-based vulnerability management solutions are essential to achieve a seamless, proactive risk response to remediate actively exploited vulnerabilities on all devices and operating systems in an organization’s environment,” Mukkamala said.

3. Nearly every healthcare, services and manufacturing business relies on legacy IoT sensors.

From hospital departments and patient rooms to shop floors, legacy IoT sensors are the backbone of how these businesses capture the real-time data they need to operate. Both industries are high-value targets for attackers aiming to compromise their IoT networks to launch lateral moves across networks. Seventy-three percent of IoT-based IV pumps are hackable, as are 50% of Voice-over-IP (VoIP) systems; overall, 50% of connected devices in a typical hospital have critical risks today.

Forrester points out that one of the main causes of these vulnerabilities is that the devices are running unsupported operating systems that can’t be secured or updated. This increases the risk of a device becoming “bricked” if an attacker compromises one and it can’t be patched.

4. The problem with IoT is the I, not the T.

Forrester observes that IoT devices immediately become a security liability when connected to the Internet. One cybersecurity vendor who requested anonymity and was interviewed for this article said one of their biggest customers kept scanning networks to resolve an IP address being pinged from outside the company.

It was a security camera for the front lobby of a manufacturing plant. Attackers were monitoring traffic flow patterns to see how they could drift in with a large crowd of workers coming into work, then access internal networks and plant their sensors on the network. It’s no wonder that Forrester observed IoT devices have become conduits for command-and-control attacks — or become botnets, as in the well-known Marai botnet attack and subsequent attacks.

What it’s like to go through an IoT attack

Manufacturers tell VentureBeat they’re unsure how to protect legacy IoT devices and their programmable logic controllers (PLCs). PLCs provide the rich real-time data stream needed to run their businesses. IoT and PLCs are designed for ease of integration, the opposite of security, which makes securing them very difficult for any manufacturer that doesn’t have a full-time IT and security staff.

An automotive parts manufacturer based in the midwestern U.S. was hit with a massive ransomware attack that started when unprotected IoT sensors and cameras on their network were breached. VentureBeat has learned that the attackers used a variant of R4IoT ransomware to initially infiltrate the company’s IoT, video, and PLCs being used for automating HVAC, electricity and preventative maintenance on machinery.

Once on the company network, the attackers moved laterally to find Windows-based systems and infect them with ransomware. Attackers also gained admin privileges and disabled both Windows firewalls and a third-party firewall and then installed the R4IoT executables onto machines across the network. 

The attack made it impossible to monitor machinery heat, pressure, operating condition and cycle times. It also froze and encrypted all data files, making them unusable. To make matters worse, the attackers threatened to post all the victim company’s pricing, customer and production data to the dark web within 24 hours if the ransom wasn’t paid.

The manufacturer paid the ransom, having no other choice, with the cybersecurity talent available in their region at a loss for how to counter the attack. Attackers know that thousands of other manufacturers don’t have the cybersecurity and IT teams on staff to counter this kind of threat or know how to react to one. That’s why manufacturing continues to be the hardest-hit industry. Simply put, IoT devices have become the threat vector of choice because they’re unprotected.

Agrawal told VentureBeat that “IoT puts a lot of pressure on enterprise security maturity. Extending zero trust to IoT is hard because the endpoints vary, and the environment is dynamic and filled with legacy devices.” Asked for advice on how manufacturers and other high-risk industry targets could get started, Agrawal advised that “accurate asset discovery, microsegmentation, and identity are still the right answer, but how to deploy them with traditional solutions, when most IoT devices can’t accept agents? This is why many enterprises embrace agentless cybersecurity like Airgap as the only workable architecture for IoT and IoMT.”



VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.