IoT Security During COVID-19: What We’ve Learned & Where We’re Going
By Aamir Lakhani
Vigilance and ongoing training combined with an integrated security framework are key aspects of a successful strategy in the fight against the latest crop of pandemic opportunists. When the pandemic began, organizations worldwide rapidly transitioned to a remote work model. In their rush to ensure business continuity, however, many left their networks exposed to cybercriminals. Furthermore, the potential attack surface of these organizations continues to expand because of digital innovation and business growth, further increasing risk.
At the same time, the speed and sophistication of cyberattacks continues to make defending the network more challenging.
With IT teams on constant alert, it can be difficult for organizations to see the big picture. The move to remote work exacerbated the current situation by adding hundreds or thousands of potential attack vectors overnight as remote workers, their devices, and sometimes their home networks were brought onto the network. Consequently, according to data from our FortiGuard Labs threat research team, there has been a significant increase in cyberattacks.
In many cases, vulnerable Internet of Things (IoT) devices — whether deployed in home or branch offices, or internal devices now being accessed by remote users — have played a significant role in this uptick. So, while IoT devices have been instrumental in helping organizations worldwide, the networks these devices are connected to must be properly secured.
IoT Devices, Security, and Remote Work
Now that time has passed since the pandemic began, most organizations have had time to work out many of the kinks associated with their pivot to remote work. From an IoT security perspective, one issue that has had serious repercussions is that not all organizations could obtain the number of laptops they needed for all the employees who had to work remotely.
As a result, many remote workers had to use — and some still are using — a variety of personal devices to connect into the corporate network, ranging from smartphones and tablets to laptops and PCs. The challenge is that those devices aren’t only being used for work but also for activities including social media, shopping, and streaming entertainment. They’re also typically far less protected by desktop security and endpoint protection solutions, rendering them more vulnerable to the malware associated with phishing attacks.
Attackers don’t need to attack these personal devices directly to achieve their goals. Since these devices are connected to a home network, attackers have multiple avenues of attack at their disposal — including spreading malware through other computers, tablets, gaming, and entertainment systems connected to the home network. This also includes online IoT devices, such as digital cameras, smart appliances, and smart home tools like doorbells and thermostats.
In fact, the top three searches on Shodan are related to remote camera access. Granted, some remote cameras are intentionally open to the Internet. However, there is still a large number of cameras connected to the Internet with default credentials. Attackers can easily take advantage of this low-hanging fruit and potentially access systems that were never intended for the public.
What’s important to keep in mind is that this may be only the first step for an attacker in attempting to exploit an organization. The ultimate goal is to find a way into a corporate or school network and its valuable digital resources, and attackers know that the easiest way in is often by exploiting a vulnerable device no one expects to be an issue.
Rise in IoT Adoption
One of the major things we’re seeing during the pandemic is an uptick in IoT adoption. Juniper Research predicts that IoT platform revenues, for instance, will reach $66 billion in 2020 — a 20% increase over last year. And while medical and healthcare use of IoT is one of the biggest growth areas, it’s not the only factor here. For example, as businesses start to reopen safely, touchless and contactless devices have become more appealing. This includes devices such as touchless building access, touchless point-of-sale devices, and body temperature cameras.
Lessons Learned and Key Takeaways
This is no time to stop being vigilant. Cybercriminals are committed to taking advantage of any opportunity to attack, and the IoT provides an enticing avenue for them to get in. Examples of this activity include: Attacks against medical device suppliers. In one attack recently uncovered by our FortiGuard Labs threat research team, attackers sent an email pretending to request multiple medical devices and also containing a malicious Word attachment. If a recipient opened the attachment, it downloaded several files that could exfiltrate files from the user’s computer.
Phishing attempts tied to COVID-19. Scammers have used the pandemic to send malicious emails, including those appearing to be reports from trusted sources such as governmental agencies and news outlets. It got so bad that the World Health Organization had to issue a statement, and the UN released an advisory to warn people to be on their guard against such phishing scams. The importance of due diligence cannot be stressed enough. Cybersecurity user awareness training continues to be crucial. Cyber hygiene isn’t just the domain of IT and security teams — everyone in your company needs to be given regular training and instruction on best practices for keeping individual employees and the organization as a whole safe and secure. Effective security technology is also essential. Organizations should look at their secure email gateways and access control solutions to ensure they’re able to provide the level of protections today’s threat landscape requires, and deploy proximity controls such as intrusion-prevention systems to protect IoT devices that can’t be directly secured.
Adapt and Fight
Malicious actors never let a crisis go to waste. Even during a worldwide tragedy that affects them as well, cybercriminals have been hard at work, and their attacks are coming with surprising speed and sophistication, leaving already taxed IT teams scrambling to defend their networks. This has become trickier as the adoption of IoT devices has increased to accommodate new remote workers and the requirements of physical security for those returning to the office. Vigilance and ongoing cybersecurity training combined with an integrated security framework — including the deployment of desktop solutions such as Secure SD-WAN for key remote workers — are key aspects of a successful cybersecurity strategy in the fight against the latest crop of pandemic opportunists.