During lockdown, offices have been empty and quiet – but not dead. Networks have continued to run, and IoT devices have continued to operate unattended. Many of these devices have communicated in plain text leaving the networks vulnerable.
A study of more than 500 million IoT device transactions in little over two weeks between December 15 and December 31, 2020 discovered a 700% increase in IoT malware over a previous study of pre-lockdown 2019. The study (PDF), conducted by Zscaler ThreatLabz, found Gafgyt and Mirai accounted for 97% of the IoT malware that Zscaler detected.
The volume and variety of IoT devices left running during lockdown is vast. 553 different device types from 212 manufacturers were identified. The most common categories, accounting for almost 65% of the total, were set-top boxes (29%), smart TVs (20%), and smart watches (20%). But there were also more esoteric devices: smart fridges and musical lamps, and of course Tesla and Honda cars.
“The volume and variety of IoT devices connected to corporate networks is vast and includes everything from musical lamps to IP cameras,” said Zscaler CISO, Deepen Desai. “Our team saw 76 percent of these devices still communicating on unencrypted plain text channels, meaning that a majority of IoT transactions pose great risk to the business.”
The study found that 76% of all transactions occurred over plain text channels. The 24% occurring over encrypted channels is three-times better than that in 2019, but remains unacceptably low. All the 533 observed devices used SSL in some capacity, but the ratio between encrypted and unencrypted traffic varied widely between the categories of device.
Enterprise devices (such as digital signage media players, digital video recorders, IP cameras and phones, printers, and networking devices) and entertainment and home automation devices (such as digital home assistants, media players, set-top boxes, smart glasses, smart home devices, smart TVs, and smart watches) both used unencrypted communications for around 98% of their traffic. Healthcare devices were best, but still used unencrypted transactions 50% of the time.
The study also examined the ultimate destinations for the IoT traffic. “Most of this communication is legitimate,” says the report, “with the IoT devices doing what they are designed to do, which is send and receive data.” The U.S., UK and Ireland were the top destination countries. However, 11% of traffic from entertainment devices, almost entirely smart TVs and set-top boxes, was routed to China and Russia. While it may have been non-malicious traffic, “These are destinations that ThreatLabz considers to be suspicious,” say the researchers, “due to their potential for government spying and other data vulnerabilities.”
During the same period as this study, Zscaler also analyzed IoT-specific malware it detected on its platform. It blocked approximately 300,000 transactions (not necessarily from empty offices) related to IoT malware, exploits and C&C communications. It detected 18,000 unique hosts and about 900 unique payload deliveries during the 15-day timeframe.
The two most common malware families were Gafgyt and Mirai accounting for more 97% of the observed payloads, although other active families included Tsunami, VPNFilter, and Hajime. The primary malware destination countries (either delivering the malware or connecting with it post-infection) were China (56%), The U.S. (19%), and India ((14%). The majority of IoT victim countries are Ireland (48.5%), the U.S. (31.7%) and China (13.8%).
Zscaler ThreatLabz gives four recommendations to prevent IoT becoming the network’s soft underbelly. Two are obvious but still not adequately undertaken: change default passwords, and stay up to date with patching. The third is around visibility. Since many IoT devices are unmanaged, network traffic analysis is important. “Implement architectures that allow you to inspect both encrypted and unencrypted network traffic for device communications that you may not otherwise be aware of.”
The fourth recommendation is to implement a zero-trust architecture so that users and devices can only access what is necessary. Unsanctioned IoT devices that require internet access should be blocked from all corporate data. “The only way to stop shadow IoT devices from posing a threat to corporate networks,” say the researchers, “is to eliminate implicit-trust policies and tightly control access to sensitive data using dynamic identity-based authentication – also known as zero trust.”