Rohan Langdon 
The number and variety of connected IoT devices has grown enormously in recent years: in our homes, in offices, in factories and warehouses. Ericsson estimates there were 11 billion connected devices worldwide in 2019, and it expects the number to reach 25 billion by the end of 2025.
Our homes now have connected security cameras, connected doorbells, even connected fridges and washing machines, along with a whole range of devices to provide security for the elderly and those with disabilities enabling them to live more independent lives.
Australians are no stranger to this new technology. According to research company Telsyte, at the end of 2021 almost two-thirds of Australian households, about 6.3 million, had at least one smart home product. Telsyte estimated the average number of connected devices in Australian homes at 20.5 in 2021 and tipped this to rise to 33.8 by 2025.
Adoption of IoT by industry is also surging, according to IDC’s Worldwide Internet of Things Spending Guide, May 2021. IDC found a large majority of Australia and New Zealand enterprises indicated growing inclination to invest in IoT related projects in the next 12 months.
With the COVID-19 pandemic accelerating digital transformation initiatives, the adoption of IoT devices will only increase exponentially.
Not-so-smart devices
These devices, and the services that use them, have brought individuals and businesses benefits undreamt of only a few years ago, but they also bring significant challenges for the security teams responsible for keeping them, and the data they carry, safe from attack by cyber criminals.
Undiscovered or unpatched software vulnerabilities in these devices and systems constitute a massive and tempting attack surface for bad actors. It’s not only the devices themselves that appeal: it is the access they can offer to the systems and applications that support them, and the data those hold. Having once gained access, hackers can spread malware, encrypt files and demand a ransom.
The risk with IoT devices is particularly great. The sheer variety of devices running different software is a challenge in itself, and many are not supported with frequent software patches to address vulnerabilities. Printers in particular are notorious for offering hackers easy access to the networks they connect with.
Plenty of vulnerabilities
Vulnerabilities seen in many IoT devices include:
- Devices shipped with weak default passwords, and other settings, and no requirement to change these.
- Hard coded passwords.
- No means to update devices securely.
- Use of components that are no longer supported.
- Poor or non-existent security on data transfers.
The surge in remote working precipitated by the COVID-19 pandemic has exacerbated the challenges for IT staff trying to keep networks of IoT devices secure. People might have disappeared from offices in droves, IoT devices have not. In many cases they are still connected, and still vulnerable, but with nobody paying much attention to them.
Research undertaken by ExtraHop found that, after organisations switched most staff to home working, the number of connected printers – a favourite cyber criminal target – declined by less than 1 per cent. IP phones declined by only 7.5 per cent. The research also found that 25 per cent of those connected phones were Cisco devices that had a critical vulnerability that would allow the attacker to remotely execute code with root privileges. These phones must be patched.
The risks of workers at home and away
Security can be boosted significantly by disconnecting or powering down unused devices but identifying all such devices and doing so can be a significant task in a large organisation.
In contrast to the new security challenges produced by COVID- induced remote working, those of the pre-COVID era now seem simple. Back then, in-office workers could be regularly briefed on threat awareness and cyber hygiene, and devices could be monitored and updated.
Today, delivering cyber awareness training to a distributed workforce presents a considerable challenge as does patching devices and managing the multiple VPN connections of home working employees who lack IT skills.
With the easing of COVID restrictions, workers will return to the office, but the number of connected IoT devices will continue to grow and present ever more security challenges.
Network visibility eliminates blind spots
In July 2021, IDC was tipping IoT spending in Australia and New Zealand to surpass $20 billion in 2021, delivering an annual growth rate of 10.4 percent. IDC said industries that were asset-rich, device-rich and physically intense such as manufacturing, utilities and transportation were the largest source of IoT spending, accounting for more than 50 percent of the total, and IoT spending by the construction and utilities sector was growing the fastest.
With this growth comes increased risk of compromise, but compromise does not have to lead to disaster if an appropriate approach to IoT security is adopted. Zero trust security and network segmentation can create significant barriers for cyber criminals trying to gain network access via a compromised IoT device. Technologies that offer post-compromise visibility for threat detection and response can stop an attack before it can inflict damage.
Comprehensive network data can give security teams a high level of visibility of all connected devices and help them spot and block a threat before damage is done.
Rohan Langdon is ANZ country manager at ExtraHop.