IoT Security Concerns for 2021

By Curtis Simpson, CISO at Armis

2020 saw IoT and connected devices exploding. As enterprises rapidly shifted to remote work, they had many new devices, most they didn't know about as they couldn't see them,  being connected putting the corporate network at further risk. Overwhelmed hospitals relied on connected medical devices to manage unprecedented situations in high-pressure environments. The retail supply chain saw increased use of robotic arms on manufacturing lines, connected forklifts in fulfillment centers, and smart sensors enabling track-and-trace delivery monitoring.

In 2021, we can expect IoT and unmanaged devices to continue playing a major role in the lives of every organization across verticals. From retail to education to city infrastructure to new office settings, IoT and unmanaged connected devices will continue to pose major cybersecurity risks and organizations must have the visibility into all in order to prevent a successful attack.

The Top 3 Security Threats in 2021

●      Botnets pose the single largest security threat in 2021. It's not a stretch to assume that just about any individual or organization can be taken down considering the size of some of the botnets we've seen recently. For example, earlier in 2020 we saw what has been attributed to the Fancy Bear or APT28 botnet shutdown trading on the New Zealand stock exchange for 4 straight days, despite highly collaborative public and private defense efforts that escalated with each impacted day. We will continue to see highly detrimental botnet attacks, such as the stock exchange attack, but likely ever more focused on supply chain weaknesses exposed by the pandemic.  In parallel, we will see botnets continue to grow exponentially through the exploitation of consumer devices.  As bad actors are more than aware of the changes in remote work, the same compromised devices in the home that have been added to botnets (TVs, modems, smart lighting, etc.) will be used to exfiltrate data from consumer networks.  Why?  It's more likely than ever that information stolen from consumer networks can be used to break into the larger prize: enterprises and governments.

●      We will see more ransom-based attacks in 2021, particularly in OT environments. Most OT security practitioners are just starting to understand the risks they're up against and build strategies around them. The attack patterns from the last year are consistent and we can expect to see more of them - especially in the energy industry.  The worst case scenario is a widespread power grid outage that impacts a large part of the US, which I don't believe is all that far-fetched.  With recent vulnerability disclosures in protection measures harkening back to Stuxnet and Triton and corresponding warnings from intelligence agencies, there are even concerns that some adversaries are truly focused on arming themselves with destructive capabilities that can do material damage to companies and nations.

●      We will see an uptick in attacks targeting healthcare. We saw the devastating success of such attacks in 2020; the fact that they're working combined with the reality that healthcare practitioners are delivering more tech-enabled services to patients than ever before, means unfortunately we can expect to see more damaging attacks in 2021. 

The Intersection of 5G + Smart Cities

●      2021 will bring advancements in smart city infrastructure - primarily those that are directly tied to reopening businesses and addressing public safety - but the fact that most of these advancements will be powered by 5G increases the risk factor dramatically. The speed at which smart cities advance depends on the pace of 5G, and at this rate, we can expect to see significant developments in 2021.  Many newly manufactured form factors of devices will be connected to newly formed networks, intended to connect everything regardless of its location in a smart city. While we'll start to see innovative applications of connected devices flourish - smart kiosks that disperse public safety information; drone services that deliver goods to vulnerable populations like the elderly; city-owned autonomous vehicles - most manufacturers and networks have yet to effectively secure the IoT that powers the world of today.  A world where a smart phone may have the ability to exploit vulnerable smart kiosks or drones running on an interconnected network that initially, is primarily monitored and secured only by service providers may soon be a reality. 

Blurred Lines between Consumer & Enterprise IoT Get Blurrier

●      Remote work is here to stay and hackers will double down on attacks targeting in-home connected devices in 2021. Two reasons: the relatively high number of unmanaged and IoT devices in peoples' homes and the fact that most people rarely, if ever, patch their devices. Consider all of the connected devices in peoples' homes: smart TVs, smart speakers, game consoles, routers, firewalls, to name a few. When you consider that the average family has about 10 unmanaged and IoT devices in their homes, compared with 1-2 computers, it's understandable why hackers would want to go after the larger attack surface. Combine that with peoples' tendency to ignore patches, and you have a winning strategy for hackers. Take the CallStranger vulnerability from 2020, for instance. This was a vulnerability within a universal plug-and-play protocol used by most smart devices that allows hackers to bypass security systems and fully take over devices if they haven't been patched. It can be exploited without anyone ever knowing, and there are hundreds of thousands, if not millions, of game consoles, routers, firewalls, etc. that are potentially vulnerable. With remote work extending into 2021 and likely beyond in some capacity, it is now the responsibility of businesses to educate and train employees on in-home connected device vulnerabilities and patching to prevent attacks that could impact the corporate network.

The Smart Office of the Future

●      When offices reopen, they will look far different from those we left behind in March 2020. I predict we'll see four new trends emerge:

1)      People will bring new devices into the office after having relied on them more at home. Lifestyles changed and new habits were formed over the past year, and employees will take the connected devices that have enabled these habits and routines into the office. For example, maybe an employee bought a smartwatch to better respond to emails on the go so they could get out of their house more during the day. Now that they're reliant on it, that smartwatch is coming with them back to the office. Other devices - smart pens, smart tablets - will also accompany employees' return to the office, presenting a greater potential attack surface for IT leaders to be aware of and control.

2)      New  devices will be introduced to address companies' return-to-office strategies. These could range from smart lighting to utilization sensors that tell you how office space is being used by different groups in real time. While more connected devices generally means more innovation, it also means a greater attack surface.  The new devices and processes that are implemented in 2021 will need to undergo continuous monitoring to maintain safety.  With these changes expected to occur rapidly, the ability to continuously discover and monitor devices to determine if they pose an immediate threat will be more important and effective than attempting to retain control over every potential device that may be introduced. 

3)      Enterprises will take new precautions in the name of creating safer environments. Depending on the impact of the vaccine on the current pandemic situation, we may or may not see a growing number of businesses introduce new devices in support of public safety measures.  In regions where lockdowns continue to occur and subsequently lead to increased public safety requirements, businesses will be required to invest in new processes and technology to remain viable and profitable.  Many enterprises will even develop long-term contact-tracing capabilities, once again in the name of viability and profitability in case of a future pandemic of any sort.  These refactored work environments will only expand upon the rate at which IoT devices are introduced, further growing the potential attack surface, with potential health-related impacts.

4)      There will be more in-office virus testing. If we're in this pandemic for years, it's likely we'll see a test flow into a central system, with central awareness into who's been affected to enable rapid contact tracing. 

##

About the Author

As the CISO at Armis, Curtis Simpson is responsible for ensuring that the Armis product continues to maintain its high standard and vigilant focus on platform and customer security and privacy. Prior to Armis, he was the CISO at Sysco, a Fortune 54 corporation. As Vice President and Global CISO at Sysco, Curtis directed a portfolio of innovative and effective business-focused security and compliance programs responsible for reducing security risks faced by a global organization.