IoT Security Disconnect: As Attacks Spike, Device Patching Still Lags

More than half of businesses have faced IoT-related attacks, yet only a third consider IoT cyber security “very important.”

As more businesses bring IoT devices onboard they are coming face to face with the security downsides of the IoT boom, researchers say.

According to a report by Trustwave released last week, 61 percent of companies surveyed who have deployed some level of connected technology have also had to deal with a security incident that they can trace back to an IoT device. On the flip side, only 49 percent of those same businesses surveyed said they have formal patching policies and procedures in place that would help prevent attacks.

Researchers have warned since 2008, when the high-profile Hydra malware first targeted routers, that IoT poses a growing security risk. And for the most part, over those past 10 years since, warnings have gone largely unheeded.

Despite calls for greater IoT security, 24 percent of respondents said they have dealt with malware infiltration through an IoT device. They added that attempted IoT attacks are up 9 percent, according to the study titled  “IoT Cybersecurity Readiness Report”.

“Most organizations are 10 to 20 years behind in their security practices when it comes to IoT, and they’re repeating the same security mistakes as they have in the past, including storing their credentials in plain text,” Michel Chamberland, practice lead for Trustwave SpiderLabs, told Threatpost.

To blame, in most instances, are misconfigured network devices. “IoT is still in its infancy,” Chamberland said. “We will continue to see a rise in IoT-based attacks, which can include sabotage, malware, denial-of- service and other malicious activity.”

Proving Chamberland’s point, in 2017 there was no shortage of vulnerabilities and threats revolving around IoT devices.

In September, researchers warned about Bluetooth vulnerabilities (BlueBorne) that threaten billions of connected devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that use the short-range wireless protocol; potentially enabling hackers to launch wireless attacks to take full control over IoT devices. And in October, security firms Check Point and NewSky Security warned hackers were swapping scripts on forums to scan the internet for vulnerable IoT devices and then dump weak credentials from them, potentially enabling them to eventually launch full-scale DDoS attacks.

Trustwave said part of the problem with IoT is the sheer variety of devices, technologies and defensive solutions making a uniform approach to locking down IoT seem impossible. “Only 10 percent of those surveyed are ‘very’ confident that they can detect and protect against IoT-related security incidents, while 62 percent are only ‘somewhat’ or ‘not’ confident that they can do so,” according to the report.

The study asserts that even those companies that don’t have any IoT devices can’t afford to keep their head in the sand. The consequences of insecure IoT outside of businesses include a growing number of DDoS attacks fueled by insecure IoT. The Mirai botnet, in 2016, harnessed 360,000 vulnerable IoT devices to launch an unprecedented DDoS attack.

“The vast majority of those surveyed believe that their organizations will experience an IoT-related security problem at some point,” according to the study. Fifty-five percent of survey recipients told Trustwave they believe an IoT-related attack will happen during the next two years, while 10 percent said one will occur after two years.

Chamberland said that businesses can take several steps to mitigate IoT-related threats – including adopting a patching policy to make sure that IoT devices are addressed in that procedure.

“The ideal thing to do is to segregate IoT devices on a separate network and encourage people to update them. They shouldn’t live in an environment with mission critical assets,” said Chamberland. “Only about one-third [of businesses surveyed] patch their IoT devices within 24 hours after a fix becomes available.”

Trustwave found that one-half of the organizations it surveyed said it takes them two or more days to fully implement an IoT patch after a fix is available.

Osterman Research performed the survey for Trustwave. The survey was conducted in November 2017 with 137 members of a survey panel.

Suggested articles