Tim Baxter, then president and chief operating officer of Samsung Electronics America, speaks during a press event for CES 2017 in Las Vegas. While IoT devices make us more efficient, today’s columnist, Jeff Costlow of ExtraHop, says security pros need to understand the risks of IoT vulnerabilities.(Photo by Alex Wong/Getty Images)

The number of connected IoT devices has exploded in recent years. Even as we put smartwatches on our wrists, brew coffee in connected coffee pots, and set reminders on our Alexa devices, most of us don’t realize just how prevalent device connectivity has become.

Today, if it has an on-switch, it also has an IP address: traffic signals, medical devices, security cameras, ATM machines, and everything in between are used by business and government organizations to make their operations more efficient. As much as these technologies benefit us all, they also introduce new risks, especially for security teams responsible for protecting the systems and data on which employees and customers rely. 

Smart, but not smart enough

The proliferation of connected devices spans organizations of all sizes, industries, and sectors. Consider how municipalities have changed the way they conduct business over the past two years. We see multi-million-dollar infrastructure upgrades with web-connected street light cameras, flood sensors, and emergency siren systems, which are all vulnerable to attacks. Add on that these municipalities are also dealing with an influx of personal devices coming online as they try to maintain service levels for the public remotely, including via a wave of new applications to support services once delivered in person.

As the convenience of connected devices rises, so does the convenience for attackers. Software vulnerabilities, either undiscovered or unpatched are an easy way for bad actors to work their way into a network, enabling them the access they need to lock down or steal data for any number of nefarious purposes. 

There’s a reason IoT devices have become so ubiquitous – they really do support and enable greater convenience and efficiency in our lives. But IoT devices, like any device, are subject to security flaws.

Common IoT device vulnerabilities

IoT devices can create entry points into an enterprise’s environment, and this can cause unpredictable, cascading effects on the organization’s networks. Hackers can weaponize IoT devices to spread malware through a network, take down websites in denial of service campaigns, or even launch DNS rebinding attacks that can turn an employee’s browser into a proxy to attack the network.

Security teams are reassessing the risks associated with these devices. They’re catching up to juggle a range of specialty devices, webcams, and printers. Printers are notorious for being targets of hackers and potential access points to a company’s sensitive data.

Common vulnerabilities include:

  • Weak, guessable, or hard coded passwords.
  • Insecure network services.
  • Lack of ability to securely update devices.
  • Use of deprecated components.
  • Insecure data transfer or storage.
  • Insecure default settings.

The era of remote work during the long pandemic has only added layers of complications for modern security. IoT devices that may have once gotten the job done now sit in empty offices, connected, but forgotten about, not updated, and unsecured. According to ExtraHop data, after organizations switched to a work-from-home model, the number of connected IP phones declined by just 7.5%. Some 25% of those IP phones are Cisco IP phones which, if left unpatched, have a critical vulnerability. Even more concerning, connected in-office printers—a known target of hackers—declined by only 0.53%.

Organizations can reduce their risk by disconnecting devices that aren’t in use, but security is still a work in progress for many organizations, and knowing exactly which devices are connected requires hard work, even for well-run security operations.

The pitfalls of the home office

Prior to 2020, my colleagues in the information security industry faced an uphill battle beating back ransomware and other advanced threats, making sure in-office employees were educated and on-site devices were kept up to date. In hindsight, those now look like the good old days when it was relatively simple to know everything about your networks and what was on them.

Today, it’s a different story. Work-from-home scenarios blur the lines between what’s necessary from a security standpoint for the office and for the home. In the rush to stand up a remote workforce, many of us cut corners. Now, we’re witnessing first-hand the outcomes of that time pressure. As organizations have shifted to hybrid and work-from-home models, security teams may even find themselves at the mercy of individual VPN-connected employees in decentralized locations—who may lack necessary technical skills—to patch vulnerable connected devices.

Reducing the risk of IoT blind spots

Where and how the company’s staff works may continue shifting, but IoT—and the security gaps that come with it will only become more prevalent. There were nearly 11 billion connected devices in 2019, and it’s expected to reach 25 billion by the end of 2025, according to Ericsson.

If discovering, disconnecting, and patching vulnerable devices isn’t feasible, organizations should assume they have already been compromised. Compromise, however, doesn’t always spell doom—just a different approach to IoT security. Zero-trust policies and proper network segmentation can help add barriers for attackers looking to move through your network. Deploying technology that offers post-compromise network visibility for threat detection and response can detect and stop malicious activity before it causes damage.

Network data has the power to give security teams the necessary visibility into what exactly is connected on a network, allowing them to better manage the explosion of connected devices. But even perfect security hygiene requires a failsafe: should one vulnerable device become an entry point for an attack, network visibility enables today’s enterprises to catch and stop a threat before it does any damage.

Jeff Costlow, deputy chief information security officer, ExtraHop.