In May 2019, my research team analyzed IoT traffic on our cloud for one month to see what types of devices were in use on our enterprise customers’ networks as well as the volume of traffic they were generating, their destinations, and any behavior that raised security concerns. During the month, we saw 56 million transactions from 270 different types of devices in more than 1,000 organizations.
The last time we did a report on IoT traffic was the summer of 2016. The traffic volume we just saw was more than 150 times greater than that of three years ago.
The problem is that it’s super easy to connect devices to your network, but not so easy to see and manage them. Visibility, or the lack thereof, is a gaping problem. If you don’t know what devices are sending and receiving communications over the internet, you can’t possibly ensure those communications are secure.
In our analysis, we saw a variety of consumer devices generating traffic, such as smart watches, home assistants, and even a few cars. Consumer-grade IoT devices are notorious for weak security, with default passwords that often go unchanged, making them susceptible to brute-force attacks. In fact, IoT malware that we recently analyzed contains lists of default passwords in their code, so such attacks are fairly trivial.
It’s mind-boggling that in 2019 companies continue to ship products with little to no security. Because nothing is stored on these devices, the prevailing wisdom has been that intrusion prevention and other controls are unnecessary. But the Mirai botnet attack illustrated how misguided that mindset is. Bad actors can easily recruit massive armies of devices that can be used to attack targeted companies, governments, infrastructure, you name it.
Wait, it gets worse.More than 90 percent of the traffic generated by the IoT devices we analyzed last month used the plain-text HTTP protocol, which means that any data they send can be intercepted. It also makes them subject to man-in-the-middle attacks, in which a malicious actor can change what your device is transmitting to an internal server or a supplier, for example.
Most internet traffic is encrypted today—as of this writing, SSL/TLS traffic accounts for 94 percent of traffic across Google . There are many good reasons for using encryption and they apply to IoT traffic, too.
During our analysis, we saw six different malware strains targeting IoT, including a Mirai variant, and each month we block an average of 6,000 transactions from IoT-based malware and exploits. Some of the exploits we analyzed earlier in the year were dropping payloads that exploited vulnerabilities in IoT management frameworks, giving attackers the ability to execute code remotely, typically to turn the infected device into a bot.
Until IoT device manufacturers get serious about baking security into their products, IoT devices will remain an easy target. You can download our full May 2019 analysis here.
–Deepen Desai is vice president of security research at Zscaler and director of ThreatLabZ.
>> This article was originally published on our sister site, EE Times: “IoT Security Gap Is Widening.”