During lockdown, offices have been empty and quiet – but not dead. Networks have continued to run, and IoT devices have continued to operate unattended. Many of these devices have communicated in plain text leaving the networks vulnerable.
A study of more than 500 million IoT device transactions in little over two weeks between December 15 and December 31, 2020 discovered a 700% increase in IoT malware over a previous study of pre-lockdown 2019. The study (PDF), conducted by Zscaler ThreatLabz, found Gafgyt and Mirai accounted for 97% of the IoT malware that Zscaler detected.
The volume and variety of IoT devices left running during lockdown is vast. 553 different device types from 212 manufacturers were identified. The most common categories, accounting for almost 65% of the total, were set-top boxes (29%), smart TVs (20%), and smart watches (20%). But there were also more esoteric devices: smart fridges and musical lamps, and of course Tesla and Honda cars.
“The volume and variety of IoT devices connected to corporate networks is vast and includes everything from musical lamps to IP cameras,” said Zscaler CISO, Deepen Desai. “Our team saw 76 percent of these devices still communicating on unencrypted plain text channels, meaning that a majority of IoT transactions pose great risk to the business.”
The study found that 76% of all transactions occurred over plain text channels. The 24% occurring over encrypted channels is three-times better than that in 2019, but remains unacceptably low. All the 533 observed devices used SSL in some capacity, but the ratio between encrypted and unencrypted traffic varied widely between the categories of device.
Enterprise devices (such as digital signage media players, digital video recorders, IP cameras and phones, printers, and networking devices) and entertainment and home automation devices (such as digital home assistants, media players, set-top boxes, smart glasses, smart home devices, smart TVs, and smart watches) both used unencrypted communications for around 98% of their traffic. Healthcare devices were best, but still used unencrypted transactions 50% of the time.
The study also examined the ultimate destinations for the IoT traffic. “Most of this communication is legitimate,” says the report, “with the IoT devices doing what they are designed to do, which is send and receive data.” The U.S., UK and Ireland were the top destination countries. However, 11% of traffic from entertainment devices, almost entirely smart TVs and set-top boxes, was routed to China and Russia. While it may have been non-malicious traffic, “These are destinations that ThreatLabz considers to be suspicious,” say the researchers, “due to their potential for government spying and other data vulnerabilities.”
During the same period as this study, Zscaler also analyzed IoT-specific malware it detected on its platform. It blocked approximately 300,000 transactions (not necessarily from empty offices) related to IoT malware, exploits and C&C communications. It detected 18,000 unique hosts and about 900 unique payload deliveries during the 15-day timeframe.
The two most common malware families were Gafgyt and Mirai accounting for more 97% of the observed payloads, although other active families included Tsunami, VPNFilter, and Hajime. The primary malware destination countries (either delivering the malware or connecting with it post-infection) were China (56%), The U.S. (19%), and India ((14%). The majority of IoT victim countries are Ireland (48.5%), the U.S. (31.7%) and China (13.8%).
Zscaler ThreatLabz gives four recommendations to prevent IoT becoming the network’s soft underbelly. Two are obvious but still not adequately undertaken: change default passwords, and stay up to date with patching. The third is around visibility. Since many IoT devices are unmanaged, network traffic analysis is important. “Implement architectures that allow you to inspect both encrypted and unencrypted network traffic for device communications that you may not otherwise be aware of.”
The fourth recommendation is to implement a zero-trust architecture so that users and devices can only access what is necessary. Unsanctioned IoT devices that require internet access should be blocked from all corporate data. “The only way to stop shadow IoT devices from posing a threat to corporate networks,” say the researchers, “is to eliminate implicit-trust policies and tightly control access to sensitive data using dynamic identity-based authentication – also known as zero trust.”
Related: Businesses Could Benefit From Proposed UK Consumer IoT Security Legislation
Related: Microsoft Buys ReFirm Labs to Expand IoT Firmware Security Push
Related: Industrial Internet Consortium Develops New IoT Security Maturity Model
Related: NSA Publishes Guidance on Adoption of Zero Trust Security

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
