Last year, the Mirai IoT botnet attacks raised awareness of the danger clustered connected devices pose in the hands of cybercriminals. This year, we learn that awareness alone can’t defend a network perimeter: security professionals still express genuine disquiet over this attack surface.
A study by Pwnie Express shows most security professionals worry about whether they can stop an attack against their company involving IoT devices. The reasons vary from lack of knowledge in detecting malware on such gadgets to insufficient funds or tools to stymie such threats.
Mirai’s assault on Dyn, one of the largest DNS (domain name system) providers, turned a possibility widely discussed by the infosec community into a reality. Even so, not much has been done to head off threats posed by connected devices brought into companies’ cyber perimeter.
In the Pwnie Express study, 92% of the 868 IT professionals that completed all the questions believe the IoT threat will grow this year.
Still, more than 66% of them lacked a clear inventory of connected devices their employees bring to work. This result was aggravated by the lack of resources needed to deal with such problems.
Out of respondents who knew the number of IoTs present at the workplace, “about one third have never checked or are not sure when they last checked for malicious infections. It’s likely that these pros have similarly not checked for a breach or other compromise,” the report explains.
More specific questions revealed that only one in 10 of the security departments in the survey could find Mirai malware on IoT devices (webcam, printers), either available in the company or brought in by employees.
At the thicker end, 66% of professionals said they had not checked or did not know how to verify devices for Mirai malware; and just 23% kept tabs on whether the IoT devices using company network resources had been scanned for malware in 2016.
More than this, one out of five respondents admitted that their IoT devices were affected by ransomware attacks in 2016, and 16% of them dealt with man-in-the-middle attacks via connected gadgetry.
The survey highlights a bleak reality for consumers, considering that the answers were provided by people employed to mitigate enterprise security risks.
Cybercriminals already know the IoT lacks security and they have started to leverage it. The top three threats listed by the survey included unpatched vulnerabilities and the misconfiguration of popular connected devices.
Some products that raised concerns of security pros included wireless cars, wireless home monitoring and safety devices, smart TVs and connected toys. For all of these, there was at least one vulnerability reported in the past.
If IT security professionals can’t properly secure connected devices in their jurisdiction, what could a regular user do about it? One solution is available here.