Why unsecured consumer IoT is now a business problem

Chances are, most businesses have at least one employee with a vulnerable device. A cyber attacker only needs access to one.
10 September 2020

Homes are filled with IoT devices. That’s now a business problem. Source: Shutterstock

In the consumer domain, Internet of Things (IoT) tech has long had a bad rap for shoddy security. 

Homes today are flooded with connected devices — whether it’s an app-enabled espresso machine or a wifi-connected security camera. According to Statista, consumer electronics will account for 63% of all installed IoT (Internet of Things) units in 2020.

These devices can collect data on their users, which is fed back to service providers in order to help enhance their products. Manufacturing these devices is lucrative and, as demand climbs further consumers are increasingly purchasing cheaper, low-end devices. The problem is, security standards are generally pretty lax. 

In the business world so far, the vulnerabilities and security pitfalls of consumer IoT haven’t been much of a problem — privacy-savvy execs might have stretched to turn off the office Alexa during a particularly sensitive meeting. But with only a third of workers set to return to the office by fall, the workers’ home has become the workplace itself; if it’s awash with unsecured IoT,  that’s a serious cybersecurity issue. 15% of IoT devices owners still use default passwords, so chances are high that most businesses have at least one employee with a vulnerable device — a cyber attacker only needs access to one.

“The majority of IoT devices purchased for the home are relatively cheap and little effort is made to protect them at a hardware or software level at this end of the spectrum by manufacturers,” Darryl Jones, Director of Product Management for IoT, at digital identity specialist ForgeRock told TechHQ. 

“From poor credential management, aging firmware, and redundant access points left in consumer devices to infrequent security updates, these are often insecure from the outset.”

In 2020, CISOs and their equivalents have been blindsided by a spike in attempted cybercrime. Phishing emails leveraging the circumstances have surged, while a sudden migration of the workforce to remote work led to a proliferation of new endpoints to protect. As businesses and workforces have gone online, criminals have followed in droves. 

At the same time, in 2019 alone, cyberattacks on IoT devices were up 300% and are likely to have continued growing. 

The most infamous example of IoT device vulnerability was the wave of Mirai botnet DDoS attacks in 2016, which, at one point, took down internet access on the whole east coast of the US. The US government initially suspected a rogue nation-state, but the culprit turned out to be a network of 400,000 compromised consumer IoT devices weaponized by a disgruntled Minecraft player. 

So, why were business leaders caught off-guard by the threat of consumer IoT?

“Simply put, the pandemic changed the landscape. They were playing chess, now they need to play checkers,” said Jones. “Device vulnerability has been there all along, but the huge increase in numbers of WFH employees and the increase in all things digital due to the pandemic has increased the severity of the problem by an order of magnitude. 

“Although CISOs have been working for years to secure their devices and networks, these changes present new and complex challenges for business leaders and CISOs alike.” 

Jones suggests that revised cybersecurity strategies geared to a future of distributed working must account for increased threats not just in the area of Bring Your Own Device (BYOD), but also in other employee-owned devices that can access the network.

“Businesses should explore new in-home technologies that allow for corporate network segregation so that a breach in the part of the network which contains consumer devices doesn’t contaminate the part used for corporate purposes,” said Jones. 

One approach is for businesses to mandate that private wifi networks are created to host corporate devices only — this is guidance that the FBI has given repeatedly in the US. Governments must also outline codes of best practice or, better yet, legislation when it comes to IoT device security. Last year, Finland became the first European country to certify safe smart devices, where products that meet the required standard are awarded a clearly visible ‘Cybersecurity label’.

“Having a unique digital identity should be the new security baseline as it can be used to help protect workplace devices, and existing or new in-home consumer devices. Additionally, adopting a Zero Trust or CARTA security model can help in this new normal by enforcing security at every interaction and understanding normal device and user behavior to identify suspicious interactions,” said Jones.

“Businesses should also adopt new enterprise security policies and employee training that require the use of private networks, and limit usage of those networks to corporate devices.”

“Early intrusion detection is also still crucial. Companies should add solutions to detect anomalies including when a new device is connected to the network, as well as other monitoring solutions —endpoint, behavioral, network…”