Our homes are littered with Internet of Things (IoT) devices, even if we might not be aware that they fall into that category. Left unattended, unpatched or unprotected, they are just waiting to be taken over by malicious actors who can use them in numerous nefarious ways. We can now take a closer look at the most vulnerable devices and at what constitutes a threat in the home or business IoT ecosystem.
An accurate map of our IoT devices is essential, but we often don’t even realize that a particular piece of hardware could even qualify as an IoT device or that it’s part of that ecosystem. IoT includes any device with an online connection, so it includes game consoles, media players, routers, phones, laptops, computers, tablets, smart TVs, smart fridges, security cameras, and much more.
The unfortunate truth is that many companies take one of three paths after they release a new IoT product onto the market. In an ideal scenario, a company continues to support that device with security updates for many years, but that’s not common.
Other companies only provide a limited window of support for their devices, but the worst of them completely abandon devices soon after launch. Chances are high that we have a vulnerable device in our household or business, and users should never ignore security. There’s more to protect in your house than your computer.
Where do the threats come from?
Threats to our IoT devices come either from browsing or external factors. While it hurts to say it, people are usually the weakest link in the security chain. That’s true in corporate networks and at home.
Between 2017 and 2019, the more significant issues generated by user interactions (browsing) accounted for 60% of IoT security problems. Spam represented 34%, followed by traffic from untrusted sources (28%), phishing (20%), and malware (16%).
But IoT devices also face threats from the outside, which account for the other 40% of security problems. Out of those, 78% are represented by privacy issues generated by unsecured logins. In a distant second place at 16%, we find brute force attacks.
Threats are changing in 2020
The threat profile is changing dramatically in 2020, and Bitdefender telemetry shows a very different landscape. Most threats coming from the user’s interactions are represented by phishing and account for a whopping 78%, indicating a dramatic increase in these types of campaigns.
External threats are also very different. While the number of privacy issues dropped down to just 28.5%, port scans now account for 49% of all incoming threats, and DDoS attacks jumped to almost 10%.
It’s clear that external actors now play a much more notable role and are continually looking for vulnerable IoT devices. The dramatic increase in port scanning is evidence enough. So, what are these people and IoT botnets scanning for?
It turns out that around 33% of all vulnerable devices are actually NAS (network-attached storage, likely exposing Samba or FTP protocols, such as media servers). Media players account for another 22%, but that’s a little vague. It turns out that a lot of people have a Sony Blu-Ray player (which likely includes PlayStation consoles) and don’t update the software, leaving it vulnerable.
Surprisingly, PCs come in third place, at 20%. We tend to forget, but PCs and laptops are also IoT devices. They are even more dangerous because they usually pack powerful hardware, give more options to attackers who get control of them. Finally, smart TVs account for 13% (including the ever-present set-top boxes.)
What can be done?
People can run a security solution on their laptop or PC, but many other devices in our homes and businesses are not protected. We can’t install security apps on most IoT hardware, so what can we do about it?
There are two types of solutions, depending on how we look at the problem. Users can choose to deploy a smart router that already has a security solution integrated. Such routers can check if your devices have known vulnerabilities, block phishing attempts or network scans, and fight DDoS attacks.
The other solution is to implement such protection from the ISP’s direction. This is where Bitdefender’s IoT Security Platform comes into play. Depending on the level of integration an ISP chooses, users could stop worrying about whether their homes are secure.
The best part of the Bitdefender IoT Security Platform is that it’s extremely flexible and works even on low-performance devices. Comprehensive integration of the platform would allow an ISP to include DDoS Detection & Protection, Parental Controls, Web Protection, Brute Force Protection, Vulnerability Assessment, and much more in a single package.
Being able to secure customers is always a plus, not to mention that it decreases support costs, and ISPs don’t have to build a costly, in-house solution, that most likely won’t even offer the same benefits.
The number of IoT devices is expected to reach 75 billion in 2025, which only means that attackers will have a much large pallet of choices. Protecting users’ homes and businesses is the job of an ISP, and the current threat climate underlines the fact that the online world is becoming ever more dangerous.
Bitdefender IoT Security Platform offers peace of mind both to users and ISPs who are looking to keep their customers safe.