A study by Zscaler shows that malware targeting the Internet of Things (IoT) has increased by 700%, and reports that most IoT attacks originate from the United States and India.
Zscaler, a leader in cloud security, has released a new study that investigates the status of IoT devices that remain on enterprise networks during periods when companies are forced to migrate to remote work environments.
The new report, "IoT in the Enterprise: Empty Office Edition," analyzes more than 575 million device activities and 300,000 IoT-specific malware attacks blocked by Zscaler in two weeks in December 2020—a 700% increase compared to pre-pandemic findings.
These attacks targeted 553 different types of devices, including printers, digital signage, and smart TVs, all of which were connected to and communicated with the company's IT network, where many employees were working remotely during the COVID-19 pandemic.
The Zscaler ThreatLabz research team identified the most vulnerable IoT devices, the most common sources and destinations of attacks, and the malware families that cause the majority of malicious traffic, in order to better help businesses protect their valuable data.
Zscaler's CISO, Deepen Desai, said: "For more than a year, most corporate offices have been abandoned as employees continued to work remotely during the COVID-19 pandemic. However, our services team noted that despite the lack of staff in the offices, corporate networks are still brimming with IoT activity."
“The number and variety of IoT devices connected to enterprise networks are enormous, ranging from smart lights to connected cameras. Our team found that 76% of these devices are still communicating over unencrypted plaintext channels, which means that most IoT transactions pose a significant risk to the business.”
Which equipment poses the greatest risk?
With over 5 billion IoT device activities, Zscaler identified 553 different devices from 212 manufacturers, 65% of which fell into three categories: set-top boxes (29%), smart TVs (20%), and smartwatches (15%). The home entertainment and automation category had the most unique device types, but also the least activity compared to manufacturing, enterprise, and medical devices.
The majority of traffic comes from devices in the manufacturing and retail sectors—59% of all traffic originates from these industries, including data collection terminals such as 3D printers, geolocation trackers, car multimedia systems, barcode readers, and payment terminals. Enterprise devices are the second most common, accounting for 28% of traffic, followed closely by medical devices at nearly 8%.
ThreatLabz also discovered a number of unexpected devices connected to the cloud, including smart refrigerators and smart lights that were still sending traffic over the enterprise network.
Whose responsibility is it?
The ThreatLabz team also meticulously examined activity specific to IoT malware tracked in the Zscaler cloud. In terms of quantity, a total of 18,000 unique hosts and approximately 900 unique payload deliveries were observed over a 15-day timeframe. Gafgyt and Mirai were the two most common malware families encountered by ThreatLabz, accounting for 97% of the 900 unique payloads.
These two families are known for hijacking devices to create botnets—large networks of private computers that can be controlled as a group to spread malware, overload infrastructure, or send spam.
Who is the target?
The top three target countries for IoT attacks are Ireland (48%), the United States (32%), and China (14%).
How can organizations protect themselves?
With the number of smart devices in the world increasing every day, it's virtually impossible to prevent them from entering your organization. Instead of trying to eliminate shadow IT, IT teams should develop access policies to prevent these devices from becoming springboards to your most sensitive business data and applications.
ThreatLabz recommends the following techniques to mitigate IoT malware threats on hosted and BYOD devices:
Gain visibility into all network devices. Deploy a solution that can view and analyze network logs to understand all devices communicating over the network and their functions.
Change all default passwords. A fundamental first step in deploying enterprise-owned IoT devices is updating passwords and deploying two-factor authentication.
Regular updates and patches are essential. Many industries, particularly manufacturing and healthcare, rely on IoT devices for their daily workflows. Ensure you stay informed about any new vulnerabilities discovered and use the latest patches to keep your devices secure and up-to-date.
Implement a zero-trust security architecture. Enforce strict policies on your company assets so that users and devices can only access what they need, and only after authentication. Restrict communication with external parties using the associated IPs, ASNs, and ports. The only way to prevent shadow IoT devices from threatening your company network is to eliminate implicit trust policies and strictly control access to sensitive data using identity-based dynamic authentication (also known as zero trust).
